Cryptographic system, cryptographic method, and cryptographic program

ABSTRACT

The present invention aims to allow for addition of an attribute category without reissuing a public parameter. A cryptographic system  10  uses an indexing technique in dual system encryption in dual pairing vector spaces. Specifically, for a transmission-side vector t j  for index j, the cryptographic system  10  sets information J assigned to the index j in advance as a coefficient of a predetermined basis vector. For a reception-side vector for index j′ corresponding to the index j, the cryptographic system  10  sets information J′ having an inner-product of 0 with the information J as a coefficient of a basis vector corresponding to the predetermined basis vector.

TECHNICAL FIELD

The present invention relates to a cryptographic system that allows foraddition of an attribute category without reissuing a public parameter.

BACKGROUND ART

Non-Patent Literature 29 describes a functional encryption scheme.

CITATION LIST Non-Patent Literature

-   Non-Patent Literature 1: Beimel, A., Secure schemes for secret    sharing and key distribution. PhD Thesis, Israel Institute of    Technology, Technion, Haifa, Israel, 1996.-   Non-Patent Literature 2: Bethencourt, J., Sahai, A., Waters, B.:    Ciphertext-policy attribute-based encryption. In: 2007 IEEE    Symposium on Security and Privacy, pp. 321-334. IEEE Press (2007)-   Non-Patent Literature 3: Boneh, D., Boyen, X.: Efficient    selective-ID secure identity based encryption without random    oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS,    vol. 3027, pp. 223-238. Springer Heidelberg (2004)-   Non-Patent Literature 4: Boneh, D., Boyen, X.: Secure identity based    encryption without random oracles. In: Franklin, M. K. (ed.)    CRYPTO 2004. LNCS, vol. 3152, pp. 443-459. Springer Heidelberg    (2004)-   Non-Patent Literature 5: Boneh, D., Boyen, X., Goh, E.: Hierarchical    identity based encryption with constant size ciphertext. In:    Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440-456.    Springer Heidelberg (2005)-   Non-Patent Literature 6: Boneh, D., Boyen, X., Shacham, H.: Short    group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol.    3152, pp. 41-55. Springer, Heidelberg (2004)-   Non-Patent Literature 7: Boneh, D., Franklin, M.: Identity-based    encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001.    LNCS, vol. 2139, pp. 213-229. Springer Heidelberg (2001)-   Non-Patent Literature 8: Boneh, D., Hamburg, M.: Generalized    identity based and broadcast encryption scheme. In: Pieprzyk, J.    (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455-470. Springer    Heidelberg (2008)-   Non-Patent Literature 9: Boneh, D., Katz, J., Improved efficiency    for CCA-secure cryptosystems built using identity based encryption.    RSA-CT 2005, LNCS, Springer Verlag (2005)-   Non-Patent Literature 10: Boneh, D., Waters, B.: Conjunctive,    subset, and range queries on encrypted data. In: Vadhan, S. P. (ed.)    TCC 2007. LNCS, vol. 4392, pp. 535-554. Springer Heidelberg (2007)-   Non-Patent Literature 11: Boyen, X., Waters, B.: Anonymous    hierarchical identity-based encryption (without random oracles). In:    Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290-307. Springer    Heidelberg (2006)-   Non-Patent Literature 12: Canetti, R., Halevi S., Katz J.:    Chosen-ciphertext security from identity-based encryption. EUROCRYPT    2004, LNCS, Springer Heidelberg (2004)-   Non-Patent Literature 13: Chase, M.: Multi-authority attribute based    encryption. TCC, LNCS, pp. 515-534, Springer Heidelberg (2007).-   Non-Patent Literature 14: Chase, M. and Chow, S.: Improving privacy    and security in multi-authority attribute-based encryption, ACM    Conference on Computer and Communications Security, pp. 121-130, ACM    (2009).-   Non-Patent Literature 15: Cocks, C.: An identity based encryption    scheme based on quadratic residues. In: Honary, B. (ed.) IMA Int.    Conf LNCS, vol. 2260, pp. 360-363. Springer Heidelberg (2001)-   Non-Patent Literature 16: Gentry, C.: Practical identity-based    encryption without random oracles. In: Vaudenay, S. (ed.)    EUROCRYPT 2006. LNCS, vol. 4004, pp. 445-464. Springer Heidelberg    (2006)-   Non-Patent Literature 17: Gentry, C., Halevi, S.: Hierarchical    identity-based encryption with polynomially many levels. In:    Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437-456. Springer    Heidelberg (2009)-   Non-Patent Literature 18: Gentry, C., Silverberg, A.: Hierarchical    ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS,    vol. 2501, pp. 548-566. Springer Heidelberg (2002)-   Non-Patent Literature 19: Goyal, V., Pandey, O., Sahai, A., Waters,    B.: Attribute-based encryption for fine-grained access control of    encrypted data. In: ACM Conference on Computer and Communication    Security 2006, pp. 89-98, ACM (2006)-   Non-Patent Literature 20: Katz, J., Sahai, A., Waters, B.: Predicate    encryption supporting disjunctions, polynomial equations, and inner    products. In: Smart, N. P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965,    pp. 146-162. Springer Heidelberg (2008)-   Non-Patent Literature 21: Lewko, A., Okamoto, T., Sahai, A.,    Takashima, K., Waters, B.: Fully secure functional encryption:    Attribute based encryption and (hierarchical) inner product    encryption, EUROCRYPT 2010. LNCS, Springer Heidelberg (2010)-   Non-Patent Literature 22: Lewko, A. B., Waters, B.: New techniques    for dual system encryption and fully secure HIBE with short    ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp.    455-479. Springer Heidelberg (2010)-   Non-Patent Literature 23: Lewko, A. B., Waters, B.: Decentralizing    Attribute-Based Encryption, the proceedings of Eurocrypt 2011, LNCS,    Springer Heidelberg (2011).-   Non-Patent Literature 24: Lewko, A. B., Waters, B.: Unbounded HIBE    and attribute-based encryption, the proceedings of Eurocrypt 2011,    LNCS, Springer Heidelberg (2011).-   Non-Patent Literature 25: H. Lin, Z. Cao, X. Liang, and J. Shao.:    Secure threshold multi authority attribute based encryption without    a central authority, INDOCRYPT, LNCS, vol. 5365, pp. 426-436,    Springer Heidelberg (2008).-   Non-Patent Literature 26: S. M{umlaut over ( )}uller, S.    Katzenbeisser, and C. Eckert.; On multi-authority ciphertext-policy    attribute-based encryption, Bull. Korean Math Soc. 46, No. 4, pp.    803-819 (2009).-   Non-Patent Literature 27: Okamoto, T., Takashima, K.: Homomorphic    encryption and signatures from vector decomposition. In:    Galbraith, S. D., Paterson, K. G. (eds.) Pairing 2008. LNCS, vol.    5209, pp. 57-74, Springer Heidelberg (2008)-   Non-Patent Literature 28: Okamoto, T., Takashima, K.: Hierarchical    predicate encryption for inner-products, In: ASIACRYPT 2009,    Springer Heidelberg (2009)-   Non-Patent Literature 29: Okamoto, T., Takashima, K.: Fully secure    functional encryption with general relations from the decisional    linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223,    pp. 191-208. Springer Heidelberg (2010). Full version is available    at http://eprint.iacr.org/2010/563-   Non-Patent Literature 30: Okamoto, T., Takashima, K.: Efficient    attribute-based signatures for non-monotone predicates in the    standard model, In: PKC 2011, Springer Heidelberg (2011)-   Non-Patent Literature 31: Okamoto, T., Takashima, K.: Decentralized    Attribute-Based Signatures http://eprint.iacr.org/2011/701-   Non-Patent Literature 32: Ostrovsky, R., Sahai, A., Waters, B.:    Attribute-based encryption with non-monotonic access structures. In:    ACM Conference on Computer and Communication Security 2007, pp.    195-203, ACM (2007)-   Non-Patent Literature 33: Pirretti, M., Traynor, P., McDaniel, P.,    Waters, B.: Secure attribute-based systems. In: ACM Conference on    Computer and Communication Security 2006, pp. 99-112, ACM, (2006)-   Non-Patent Literature 34: Sahai, A., Waters, B.: Fuzzy    identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005.    LNCS, vol. 3494, pp. 457-473. Springer Heidelberg (2005)-   Non-Patent Literature 35: Shi, E., Waters, B.: Delegating capability    in predicate encryption systems. In: Aceto, L., Damgård, I.,    Goldberg, L. A., Halldørsson, M. M., Ingølfsdøttir, A.,    Walukiewicz, I. (eds.) ICALP (2) 2008. LNCS, vol. 5126, pp. 560-578.    Springer Heidelberg (2008)-   Non-Patent Literature 36: Waters, B.: Efficient identity based    encryption without random oracles. Eurocrypt 2005, LNCS, vol. 3152,    pp. 443-459. Springer Verlag, (2005)-   Non-Patent Literature 37: Waters, B.: Ciphertext-policy    attribute-based encryption: an expressive, efficient, and provably    secure realization. ePrint, IACR, http://eprint.iacr.org/2008/290-   Non-Patent Literature 38: Waters, B.: Dual system encryption:    realizing fully secure IBE and HIBE under simple assumptions. In:    Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619-636. Springer    Heidelberg (2009)

SUMMARY OF INVENTION Technical Problem

In the functional encryption scheme described in Non-Patent Literature29, a pair of a basis B_(t) and a basis B*_(t) is required for eachattribute category. When an attribute category is to be added, a newpair of a basis B_(t) and a basis B*_(t) needs to be generated. Thismakes it necessary to reissue a public parameter because the basis B_(t)is included in the public parameter.

It is an object of the present invention to allow for addition of anattribute category without reissuing a public parameter.

Solution to Problem

A cryptographic system according to the present invention is configuredto perform a process using a predetermined basis B and a predeterminedbasis B*, and the cryptographic system includes:

a transmission device configured to generate a transmission-side vectort_(j) for at least one index j out of a plurality of indices j, thetransmission-side vector t_(j) being a vector in which information Jassigned in advance to the index j is set as a coefficient of apredetermined basis vector b_(index) of the basis B, and a parameterΦ_(j) for the index j is set as a coefficient of another basis vectorb_(att) of the basis B; and

a reception device configured to use a reception-side vector r_(j′) forat least one index j′ out of a plurality of indices j′, thereception-side vector r_(j′) being a vector in which information J′having an inner-product of 0 with the information J assigned in advanceto the index j corresponding to the index j′ is set as a coefficient ofa basis vector b_(index) of the basis B* corresponding to the basisvector b_(index), and a parameter Ψ_(j′) for the index j′ is set as acoefficient of a basis vector b*_(att) of the basis B* corresponding tothe basis vector b_(att), and compute a product of pairing operations oncorresponding pairs of the basis vectors of the transmission-side vectort_(j) for the index j and the reception-side vector r_(j′) for the indexj′ corresponding to the index j.

Advantageous Effects of Invention

In a cryptographic system according to the present invention,information J which is assigned in advance to index j is set in atransmission-side vector t_(j), and information J′ having aninner-product of 0 with the information J is set in a reception-sidevector r_(j′). With this arrangement, a basis B and a basis B* can beused commonly for all attribute categories with security maintained,thus eliminating the need for using a basis B_(t) and a basis B*_(t) foreach category. As a result, when an attribute category is to be added,there is no need to newly generate a basis B_(t) and a basis B*_(t),thus allowing for addition of an attribute category without reissuing apublic parameter.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M

;

FIG. 2 is an explanatory drawing of a matrix M_(δ);

FIG. 3 is an explanatory drawing of s₀;

FIG. 4 is an explanatory drawing of {right arrow over (s)}^(T);

FIG. 5 is a configuration diagram of a cryptographic system 10 thatimplements a KP-FE scheme according to Embodiment 2;

FIG. 6 is a configuration diagram of a key generation device 100according to Embodiment 2;

FIG. 7 is a configuration diagram of an encryption device 200 accordingto Embodiment 2;

FIG. 8 is a configuration diagram of a decryption device 300 accordingto Embodiment 2;

FIG. 9 is a flowchart illustrating the process of a Setup algorithmaccording to Embodiment 2;

FIG. 10 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 2;

FIG. 11 is a flowchart illustrating the process of an Enc algorithmaccording to Embodiment 2;

FIG. 12 is a flowchart illustrating the process of a Dec algorithmaccording to Embodiment 2;

FIG. 13 is a configuration diagram of a cryptographic system 10 thatimplements a CP-FE scheme according to Embodiment 3;

FIG. 14 is a configuration diagram of a key generation device 100according to Embodiment 3;

FIG. 15 is a configuration diagram of an encryption device 200 accordingto Embodiment 3;

FIG. 16 is a configuration diagram of a decryption device 300 accordingto Embodiment 3;

FIG. 17 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 3;

FIG. 18 is a flowchart illustrating the process of an Enc algorithmaccording to Embodiment 3;

FIG. 19 is a flowchart illustrating the process of a Dec algorithmaccording to Embodiment 3;

FIG. 20 is a configuration diagram of a cryptographic system 10 thatimplements an HIPE scheme according to Embodiment 4;

FIG. 21 is a configuration diagram of a key generation device 100according to Embodiment 4;

FIG. 22 is a configuration diagram of an encryption device 200 accordingto Embodiment 4;

FIG. 23 is a configuration diagram of a decryption device 300 accordingto Embodiment 4;

FIG. 24 is a configuration diagram of a key delegation device 400according to Embodiment 4;

FIG. 25 is a flowchart illustrating the process of a Setup algorithmaccording to Embodiment 4;

FIG. 26 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 4;

FIG. 27 is a flowchart illustrating the process of an Enc algorithmaccording to Embodiment 4;

FIG. 28 is a flowchart illustrating the process of a Dec algorithmaccording to Embodiment 4;

FIG. 29 is a flowchart illustrating the process of a Delegate_(L)algorithm according to Embodiment 4;

FIG. 30 is a configuration diagram of a cryptographic system 10 thatimplements a signature scheme according to Embodiment 5;

FIG. 31 is a configuration diagram of a key generation device 100according to Embodiment 5;

FIG. 32 is a configuration diagram of a signature device 500 accordingto Embodiment 5;

FIG. 33 is a configuration diagram of a verification device 600according to Embodiment 5;

FIG. 34 is a flowchart illustrating the process of a Setup algorithmaccording to Embodiment 5;

FIG. 35 is a flowchart illustrating the process of a KeyGen algorithmaccording to Embodiment 5;

FIG. 36 is a flowchart illustrating the process of a Sig algorithmaccording to Embodiment 5;

FIG. 37 is a flowchart illustrating the process of a Ver algorithmaccording to Embodiment 5;

FIG. 38 is an explanatory drawing of multi-authority;

FIG. 39 is an explanatory drawing of a functional encryption scheme thatallows for addition of an attribute category in a case ofmulti-authority; and

FIG. 40 is a diagram illustrating an example of a hardware configurationof the key generation device 100, the encryption device 200, thedecryption device 300, the key delegation device 400, the signaturedevice 500, and the verification device 600.

DESCRIPTION OF EMBODIMENTS

Embodiments of the present invention will be described hereinafter withreference to the accompanying drawings.

In the following description, a processing device is a CPU 911 or thelike to be described later. A storage device is a ROM 913, a RAM 914, amagnetic disk 920 or the like to be described later. A communicationdevice is a communication board 915 or the like to be described later.An input device is a keyboard 902, the communication board 915 or thelike to be described later. That is, the processing device, the storagedevice, the communication device, and the input device are hardware.

Notations to be used in the following description will be described.

When A is a random variable or distribution, Formula 101 denotes that yis randomly selected from A according to the distribution of A. That is,y is a random number in Formula 101.

$\begin{matrix}{y\overset{R}{}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack\end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected fromA. That is, y is a uniform random number in Formula 102.

$\begin{matrix}{y\overset{U}{}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack\end{matrix}$

Formula 103 denotes that y is a set defined or substituted by z.

y:=z  [Formula 103]

When a is a fixed value, Formula 104 denotes that a machine (algorithm)A outputs a on input x.

A(x)→a  [Formula 104]

For example,

A(x)→1

Formula 105, namely F_(q), denotes a finite field of order q.

_(q)  [Formula 105]

A vector symbol denotes a vector representation over the finite fieldF_(q), as indicated in Formula 106.

{right arrow over (x)} denotes

(x ₁ , . . . ,x _(n))ε

_(q) ^(n)  [Formula 106]

Formula 107 denotes that the inner-product, indicated in Formula 109, oftwo vectors {right arrow over (x)} and {right arrow over (v)} indicatedin Formula 108.

{right arrow over (x)}·{right arrow over (v)}  [Formula 107]

{right arrow over (x)}=(x ₁ , . . . ,x _(n)),

{right arrow over (v)}=(v ₁ , . . . ,v _(n))  [Formula 109]

Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 109]

Note that X^(T) denotes the transpose of a matrix X.

When b_(i) (i=1, . . . , n) is an element of a vector of a space V, thatis when Formula 110 is established, Formula III denotes a subspacegenerated by Formula 112.

b _(i)ε

(i=1, . . . ,n)  [Formula 110]

span

b₁ , . . . ,b _(n)

⊂

(resp. span

{right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(n)

)  [Formula 111]

b ₁ , . . . ,b _(n)(resp. {right arrow over (x)} ₁ , . . . ,{right arrowover (x)} _(n))  [Formula 112]

For a basis B and a basis B* indicated in Formula 113, Formula 114 isestablished.

:=(b ₁ , . . . ,b _(N)),

*:=(b* ₁ , . . . ,b* _(N))  [Formula 113]

(x ₁ , . . . ,x _(N))

:=Σ_(i=1) ^(N) x _(i) b _(i),

(y ₁ , . . . ,y _(N))

:=Σ_(i=1) ^(N) y _(i) b* _(i)  [Formula 114]

Note that {right arrow over (e)}_(j) denotes an orthonormal basis vectorindicated in Formula 115.

$\begin{matrix}{{{{\overset{\rightarrow}{}}_{j}:{\left( {\overset{\overset{j - 1}{}}{0\mspace{14mu} \cdots \mspace{14mu} 0},1,\overset{\overset{n - j}{}}{0\mspace{14mu} \cdots \mspace{14mu} 0}} \right) \in \; {_{q}^{n}\mspace{14mu} {for}\mspace{14mu} j}}} = 1},\cdots \mspace{14mu},n,} & \left\lbrack {{Formula}\mspace{14mu} 115} \right\rbrack\end{matrix}$

In the following description, when “Vt” is shown as a subscript orsuperscript, this Vt denotes V_(t). Likewise, when “δi,j” is shown as asuperscript, this δi,j denotes δ_(i,j).

When “→” representing a vector is attached to a subscript orsuperscript, it is meant that this “→” is attached as a superscript tothe subscript or superscript.

In the following description, processes of cryptographic primitivesinclude not only a narrowly-defined cryptographic process for keepinginformation secure from a third party, but also include a signatureprocess. The processes of the cryptographic primitives include a keygeneration process, an encryption process, a decryption process, a keydelegation process, a signature process, and a verification process.

Embodiment 1

This embodiment describes a basic concept for implementing the processesof the cryptographic primitives to be described in the followingembodiments that allow for addition of an attribute category withoutreissuing a public parameter.

First, addition of an attribute category will be described.

Second, a functional encryption scheme and a basic construction of thefunctional encryption scheme will be briefly described.

Third, a key technique for realizing addition of an attribute categorywithout reissuing a public parameter will be described.

Fourth, a space having a rich mathematical structure called “dualpairing vector spaces (DPVS)” which is a space for implementing thefunctional encryption scheme will be described.

Fifth, a concept for implementing the functional encryption scheme willbe described. Here, “span program”, “inner-product of attributeinformation and access structure”, and “secret distribution scheme(secret sharing scheme)” will be described.

<1. Addition of an Attribute Category>

An attribute category is a classification of an attribute of each user,such as belonging organization, belonging department, position incompany, age, and gender.

The processes of the cryptographic primitives to be described in thefollowing embodiments realize access control based on the user'sattribute. For example, with a narrowly-defined cryptographic processfor securing information from a third party, whether or not the user candecrypt a ciphertext is controlled based on the user's attribute.

Generally, attribute categories used for access control are determinedin advance at the design stage of a system. However, there may be a casewhere the operational rules of the system are changed at a later stage,necessitating addition of an attribute category used for access control.

For example, suppose that a cryptographic system is constructed on theassumption that the system is to be used only within Company A. In thiscase, it is assumed that the attribute categories to be used are, forexample, belonging department, position in company, and individual ID.However, suppose that the operational rules are changed at a later stageso that the cryptographic system is used not only in Company A but alsoin associated companies of Company A. In this case, belonging companyneeds to be newly set as an attribute category to be used.

If the attribute categories used for access control are specified by apublic parameter, adding an attribute category at a later stage requiresthat the public parameter be reissued and redistributed to each user.For this reason, an attribute category cannot be easily added at a laterstage, and an operational mode that was not taken into consideration atthe design stage of the system cannot be flexibly adopted.

Therefore, it is important to allow for addition of an attributecategory without reissuing a public parameter.

<2. Functional Encryption Scheme>

The functional encryption scheme is an encryption scheme that providesmore sophisticated and flexible relations between an encryption key ekand a decryption key dk.

According to the functional encryption scheme, a parameter Φ and aparameter Ψ are set in the encryption key ek and the decryption key dk,respectively. The decryption key dk can decrypt a ciphertext encryptedwith the encryption key ek if and only if a relation R (Φ, Ψ) holds.

The functional encryption scheme includes an attribute-based encryptionscheme and an 1D-based encryption scheme.

The construction of the functional encryption scheme will be brieflydescribed.

The functional encryption scheme consists of four algorithms: Setup,KeyGen, Enc, and Dec.

(Setup)

A Setup algorithm is an algorithm that outputs a public parameter pk anda master key sk.

(KeyGen)

A KeyGen algorithm is an algorithm that takes as input the publicparameter pk, the master key sk, and a parameter Ψ, and outputs adecryption key sk_(Ψ).

(Enc)

An Enc algorithm is an algorithm that takes as input the publicparameter pk, a parameter Φ, and a message m, and outputs a ciphertextct_(Φ).

(Dec)

A Dec algorithm is an algorithm that takes as input the public parameterpk, the decryption key sk_(Ψ), and the ciphertext ct_(Φ), and outputsthe message m or a distinguished symbol ⊥.

The ciphertext ct_(Φ) can be decrypted with the decryption key sk_(Ψ) toobtain the message m if and only if the parameter Ψ and the parameter Φsatisfy the relation R (if R(Φ, Ψ) holds).

Generally, the Setup algorithm is executed only once at system setup.The KeyGen algorithm is executed each time a decryption key sk_(Ψ) of auser is to be generated. The Enc algorithm is executed each time amessage m is to be encrypted. The Dec algorithm is executed each time aciphertext ct_(Φ) is to be decrypted.

<3. Key Technique>

The key technique for realizing addition of an attribute categorywithout reissuing a public parameter is to apply an indexing techniqueto dual system encryption in the dual pairing vector spaces.

In the dual system encryption in the dual pairing vector spaces, a pairof dual bases, a basis B and a basis B*, are randomly generated. Then, apart of the basis B (basis B

) is used as a public parameter.

In the functional encryption scheme described in Non-Patent Literature29, a basis B

₁, . . . , and a basis B

_(d) are generated as a public parameter. One attribute category isassigned to each basis B

_(t) corresponding to each integer t=1, . . . , d. That is, d pieces ofattribute categories can be handled.

As is evident from the fact that the basis B

₁, . . . , and the basis B

_(d) are used as the public parameter, the public parameter needs to bereissued to add a basis B

, that is, to increase the value of d, at a later stage. In other words,the value of d is bounded by the public parameter.

In the functional encryption scheme to be described in the followingembodiments, a basis B

is generated as a public parameter. Two-dimensional index vectors,σ_(t)(1, t) and μ_(i)(t, −1), corresponding to each integer t=1, . . . ,d are set in a ciphertext c and a secret key k*, respectively, such thatone attribute category is assigned to each integer t. That is, d piecesof attribute categories can be handled.

Note here that the public parameter includes the basis B

but not the index vectors. Hence, when index vectors are to be added ata later stage to increase the value of d, there is no need to reissuethe public parameter. In other words, the value of d is not bounded bythe public parameter.

<4. Dual Pairing Vector Spaces>

First, symmetric bilinear pairing groups will be described.

Symmetric bilinear pairing groups (q, G, G^(T), g, e) are a tuple of aprime q, a cyclic additive group G of order q, a cyclic multiplicativegroup G^(T) of order q, g≠0εG, and a polynomial-time computablenondegenerate bilinear pairing e:G×G→G_(T). The nondegenerate bilinearpairing signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let G_(bpg) be an algorithm that takes asinput 1^(λ) and outputs values of a parameter param_(G):=(q, G, G_(T),g, e) of bilinear pairing groups with a security parameter λ.

Dual pairing vector spaces will now be described.

Dual pairing vector spaces (q, V, G_(T), A, e) can be constructed by adirect product of the symmetric bilinear pairing groups (param_(G):=(q,G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) area tuple of a prime q, an N-dimensional vector space V over F_(q)indicated in Formula 116, a cyclic group G_(T) of order q, and acanonical basis A:=(a₁, . . . , a_(N)) of the space V, and have thefollowing operations (1) and (2), where a_(i) is as indicated in Formula117.

$\begin{matrix}{:=\overset{\overset{N}{}}{ \times \cdots \times }} & \left\lbrack {{Formula}\mspace{14mu} 116} \right\rbrack \\{a_{i}:=\left( {\overset{\overset{i - 1}{}}{0,\cdots \mspace{14mu},0},g,\overset{\overset{N - i}{}}{0,\cdots \mspace{14mu},0}} \right)} & \left\lbrack {{Formula}\mspace{14mu} 117} \right\rbrack\end{matrix}$

Operation (1): Nondegenerate Bilinear Pairing

A pairing in the space V is defined by Formula 118.

e(x,y):=Π_(i=1) ^(N) e(G _(i) ,H _(i))ε

_(T)  [Formula 118]

where

(G ₁ , . . . ,G _(N)):=xε

,

(H ₁ , . . . ,H _(N)):=yε

This is nondegenerate bilinear, that is, e(sx, ty)=e(x, y)^(st) and ife(x, y)=1 for all yεV, then x=0. For all i and j, e(a_(i), a_(j))=e(g,g)^(δi,j), where δ_(i,j)=1 if i=j, and δ_(i,j)=0 if i≠j, and e(g,g)≠1εG_(T).

Operation (2): Distortion Maps

Linear transformations φ_(i,j) on the space V indicated in Formula 119can achieve Formula 120.

$\begin{matrix}{{{{If}\mspace{14mu} {\varphi_{i,j}\left( a_{j} \right)}} = {a_{i}\mspace{14mu} {and}}}\text{}{{k \neq j},{{{then}\mspace{14mu} {\varphi_{i,j}\left( a_{k} \right)}} = 0.}}} & \left\lbrack {{Formula}\mspace{14mu} 119} \right\rbrack \\{{{\varphi_{i,j}(x)}:=\left( {\overset{\overset{i - 1}{}}{0,\cdots \mspace{14mu},0},g_{j},\overset{\overset{N - i}{}}{0,\cdots \mspace{14mu},0}} \right)}\mspace{14mu} {{{where}\left( {g_{1},{\cdots \mspace{14mu} g_{N}}} \right)}:=x}} & \left\lbrack {{Formula}\mspace{14mu} 120} \right\rbrack\end{matrix}$

The linear transformations φ_(i,j) will be called distortion maps.

In the following description, let G_(dpvs) be an algorithm that takes asinput 1^(λ) (λεnatural number), Nεnatural number, and values of aparameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups, andoutputs values of a parameter param_(V):=(q, V, G_(T), A, e) of dualpairing vector spaces with a security parameter λ and an N-dimensionalspace V.

Description will be directed herein to a case where the dual pairingvector spaces are constructed using the above-described symmetricbilinear pairing groups. The dual pairing vector spaces can also beconstructed using asymmetric bilinear pairing groups. The followingdescription can easily be adapted to a case where the dual pairingvector spaces are constructed using asymmetric bilinear pairing groups.

<5. Concept for Implementing Functional Encryption>

<5-1. Span Program>

FIG. 1 is an explanatory drawing of a matrix M

.

Let {p₁, . . . , p_(n)} be a set of variables. M

:=(M, ρ) is a labeled matrix. The matrix M is an (L rows×r columns)matrix over F_(q), and ρ is a label of columns of the matrix M and isrelated to one of literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. A label ρ_(i) (i=1, . . . , L) of each row of M is related toone of the literals. That is, ρ:{1, . . . , L}→{p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}.

For every input sequence δε{0, 1}^(n), a submatrix M_(δ) of the matrix Mis defined. The matrix M_(δ) is a submatrix consisting of those rows ofthe matrix M the labels ρ of which are related to a value “1” by theinput sequence δ. That is, the matrix M_(δ) is a submatrix consisting ofthe rows of the matrix M which are related to p_(i) such that δ_(i)=1and the rows of the matrix M which are related to

p_(i) such that δ_(i)=0.

FIG. 2 is an explanatory drawing of the matrix M_(δ). In FIG. 2, notethat n=7, L=6, and r=5. That is, the set of variables is {p₁, . . . ,p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2, assumethat the labels ρ are related such that ρ₁ is related to

p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to

p₅, ρ₅ to

p₃, and ρ₆ to p₅.

Assume that in an input sequence δε{0, 1}⁷, δ₁=1, δ₂=0, δ₃=1, δ₄=0,δ₅₌0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rowsof the matrix M which are related to literals (p₁, p₃, p₆, p₇,

p₂,

p₄,

p₅) surrounded by broken lines is the matrix M_(δ). That is, thesubmatrix consisting of the first row (M₁), second row (M₂), and fourthrow (M₄) of the matrix M is the matrix M_(δ).

In other words, when map γ:{1, . . . , L}→{0, 1} is [ρ(j)=p_(i)]

[δ_(i)=1] or [ρ(j)=

p_(i)]

[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case,M_(δ):=(M_(j))_(δ(j)=1). Note that M_(j) is the j-th row of the matrixM.

That is, in FIG. 2, map γ(j)=1 (j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6).Hence, (M_(j))_(γ(j)=1) is M₁, M₂, and M₄, and the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M isincluded in the matrix M_(δ) is determined by whether the value of themap γ(j) is “0” or “1”.

The span program M

accepts an input sequence δ if and only if {right arrow over(1)}εspan<M_(δ)>, and rejects the input sequence δ otherwise. That is,the span program M

accepts the input sequence δ if and only if linear combination of therows of the matrix M_(δ) which are obtained from the matrix M

by the input sequence δ gives {right arrow over (1)}. {right arrow over(1)} is a row vector which has a value “1” in each element.

For example, in FIG. 2, the span program M

accepts the input sequence δ if and only if linear combination of therespective rows of the matrix M_(δ) consisting of the 1st, 2nd, and 4throws of the matrix M gives {right arrow over (1)}. That is, if thereexist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over(1)}, the span program M

accepts the input sequence δ.

The span program is called monotone if its labels ρ are related to onlypositive literals {p₁, . . . , p_(n)}. The span program is callednon-monotone if its labels ρ are related to the literals {p₁, . . . ,p_(n),

p₁, . . . ,

p_(n)}. It is assumed herein that the span program is non-monotone. Anaccess structure (non-monotone access structure) is constituted usingthe non-monotone span program. Briefly, an access structure controlsaccess to encryption, that is, it controls whether a ciphertext is to bedecrypted or not.

As will be described in detail later, the span program beingnon-monotone, instead of being monotone, allows for a wider range ofapplications of the functional encryption scheme constituted using thespan program.

<5-2. Inner-Product of Attribute Information and Access Structure>

The above-described map γ(j) is computed using the inner-product ofattribute information. That is, the inner-product of attributeinformation is used to determine which row of the matrix M is to beincluded in the matrix M_(δ).

U_(t) (t=1, . . . , d and U_(t)⊂{0, 1}*) is a sub-universe and a set ofattributes. Each U_(t) includes identification information (t) of thesub-universe and an n-dimensional vector ({right arrow over (v)}). Thatis, U_(t) is (t, {right arrow over (v)}), where to tε{1, . . . , d} and{right arrow over (v)}εF_(q) ^(n).

Let U_(t):=(t, {right arrow over (v)}) be a variable p of the spanprogram M

:=(M, ρ). That is, p:=(t, {right arrow over (v)}). Let the span programM

:=(M, ρ) having the variable (p:=(t, {right arrow over (v)}), (t′,{right arrow over (v)}′), . . . ) be an access structure S.

That is, the access structure S:=(M, ρ) and ρ:{1, . . . , L}→{(t, {rightarrow over (v)}), (t′, {right arrow over (v)}′), . . . ,

(t, {right arrow over (v)}),

(t′, {right arrow over (v)}′), . . . }.

Let Γ be a set of attributes. That is, Γ:={(t, {right arrow over(x)}_(t))|{right arrow over (x)}_(t)εF_(q) ^(n), 1≦t≦d}.

When Γ is given to the access structure S, map γ: {1, . . . , L}→{0, 1}for the span program M

:=(M, ρ) is defined as follows. For each integer i=1, . . . , L, setγ(j)=1 if [ρ(i)=(t, {right arrow over (v)}_(i))]

[(t, {right arrow over (x)}_(t))εΓ]

[{right arrow over (v)}_(i)·{right arrow over (x)}_(t)=0] or [ρ(i)=

(t, {right arrow over (v)}_(i))]

[(t, {right arrow over (x)}_(t))εΓ]

[{right arrow over (v)}_(i)·{right arrow over (x)}_(t)≠0]. Set γ(j)=0otherwise.

That is, the map γ is computed based on the inner-product of theattribute information {right arrow over (v)} and {right arrow over (x)}.As described above, which row of the matrix M is to be included in thematrix M_(δ) is determined by the map γ. More specifically, which row ofthe matrix M is to be included in the matrix M_(δ) is determined by theinner-product of the attribute information {right arrow over (v)} and{right arrow over (x)}. The access structure S:=(M, ρ) accepts Γ if andonly if {right arrow over (1)}εspan<(M_(i))_(γ(i)=1)>.

<5-3. Secret Distribution Scheme>

A secret distribution scheme for the access structure S:=(M, ρ) will bedescribed.

The secret distribution scheme is distributing secret information torender it nonsense distributed information. For example, secretinformation s is distributed into 10 pieces to generate 10 pieces ofdistributed information. Each of the 10 pieces of distributedinformation does not have information on the secret information s.Hence, even when one of the pieces of distributed information isobtained, no information can be obtained on the secret information s. Onthe other hand, if all of the 10 pieces of distributed information areobtained, the secret information s can be recovered.

Another secret distribution scheme is also available according to whichthe secret information s can be recovered if some (for example, 8pieces) of distributed information can be obtained, without obtainingall of the 10 pieces of distributed information. A case like this wherethe secret information s can be recovered using 8 pieces out of 10pieces of distributed information will be called 8-out-of-10. That is, acase where the secret information s can be recovered using t pieces outof n pieces of distributed information will be called t-out-of-n. This twill be called a threshold.

Still another secret distribution scheme is available according to whichwhen 10 pieces of distributed information d₁, . . . , d₁₀ are generated,the secret information s can be recovered with 8 pieces of distributedinformation d₁, . . . , d₈, but the secret information s cannot berecovered with 8 pieces of distributed information d₃, . . . , d₁₀. Inother words, secret distribution schemes include a scheme according towhich whether or not the secret information s can be recovered iscontrolled not only by the number of pieces of distributed informationobtained, but also the combination of distributed information obtained.

FIG. 3 is an explanatory drawing of s₀. FIG. 4 is an explanatory drawingof {right arrow over (s)}^(T).

Let a matrix M be an (L rows×r columns) matrix. Let {right arrow over(f)}^(T) be a column vector indicated in Formula 121.

$\begin{matrix}{{\overset{\rightarrow}{f}}^{T}:={\left( {f_{1},{\cdots \mspace{14mu} f_{r}}} \right)^{T}\overset{U}{}_{q}^{r}}} & \left\lbrack {{Formula}\mspace{14mu} 121} \right\rbrack\end{matrix}$

Let s₀ indicated in Formula 122 be secret information to be shared.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T):=Σ_(k=1) ^(r) f_(k)  [Formula 122]

Let {right arrow over (s)}^(T) indicated in Formula 123 be a vector of Lpieces of distributed information of s₀.

{right arrow over (s)} ^(T):=(s ₁ , . . . s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 123]

Let the distributed information s_(i) belong to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, {right arrow over(1)}εspan<(M_(i))_(γ(i)=1)> for γ:{1, . . . , L}→{0, 1}, then thereexist constants {α_(i)εF_(q)|iεI} such that I⊂{iε{1, . . . ,L})|γ(i)−=1}.

This is obvious from the explanation about the example of FIG. 2 that ifthere exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrowover (1)}, the span program M

accepts the input sequence δ. That is, if the span program M

accepts the input sequence S when there exist α₁, α₂, and α₄ with whichα₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}, then there exist α₁, α₂,and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)={right arrow over (1)}.

Note Formula 124.

Σ_(iεI)α_(i) s _(i) :=s ₀  [Formula 124]

Note that the constants {α_(i)}can be computed in time polynomial in thesize of the matrix M.

With the functional encryption scheme according to the followingembodiments, an access structure is constructed by applying theinner-product predicate and the secret distribution scheme to the spanprogram, as described above. Therefore, access control can be designedflexibly by designing the matrix M in the span program and the attributeinformation x and the attribute information v (predicate information) inthe inner-product predicate. That is, access control can be designedvery flexibly. Designing of the matrix M corresponds to designing ofconditions such as a threshold of the secret distribution scheme.

For example, the attribute-based encryption scheme described abovecorresponds to a case where designing of the inner-product predicate islimited to a certain condition in the access structure in the functionalencryption scheme according to the following embodiments. That is, whencompared to the access structure in the functional encryption schemeaccording to the following embodiments, the access structure in theattribute-based encryption scheme has a lower flexibility in accesscontrol design because it lacks the flexibility in designing theattribute information x and the attribute information v (predicateinformation) in the inner-product predicate. More specifically, theattribute-based encryption scheme corresponds to a case where attributeinformation {{right arrow over (x)}_(t)}_(tε{1, . . . , d}) and {{rightarrow over (v)}_(t)}_(tε{1, . . . , d}) are limited to two-dimensionalvectors for the equality relation, for example, {right arrow over(x)}_(t):=(1, x_(t)) and {right arrow over (v)}_(t):=(v_(t), −1).

An inner-product predicate encryption scheme corresponds to a case wheredesigning of the matrix M in the span program is limited to a certaincondition in the access structure in the functional encryption schemeaccording to the following embodiments. That is, when compared to theaccess structure in the functional encryption scheme according to thefollowing embodiments, the access structure in the inner-productpredicate encryption scheme has a lower flexibility in access controldesign because it lacks the flexibility in designing the matrix M in thespan program. More specifically, the inner-product predicate encryptionscheme corresponds to a case where the secret distribution scheme islimited to 1-out-of-1 (or d-out-of-d).

In particular, the access structure in the functional encryption schemeaccording to the following embodiments constitutes a non-monotone accessstructure that uses a non-monotone span program. Thus, the flexibilityin access control designing improves.

More specifically, since the non-monotone span program includes anegative literal (

p), a negative condition can be set. For example, assume that FirstCompany includes four departments, A, B, C, and D. Assume that accesscontrol is to be performed such that only users belonging to departmentsother than department B of First Company are capable of access (capableof decryption). In this case, if a negative condition cannot be set, acondition that “the user belongs to any one of departments A, C, and Dof First Company” must be set. On the other hand, if a negativecondition can be set, a condition that “the user is an employee of FirstCompany and belongs to a department other than department B” can be set.In other words, since a negative condition can be set, natural conditionsetting is possible. Although the number of departments is small in thiscase, this scheme is very effective in a case where the number ofdepartments is large.

Embodiment 2

This embodiment describes a narrowly-defined cryptographic processingscheme. In particular, this embodiment describes a key-policy functionalencryption (KP-FE) scheme.

Note that key-policy means that a policy, namely an access structure, isembedded in a decryption key.

First, the construction of the KP-FE scheme will be described.

Second, the configuration of a cryptographic system 10 that implementsthe KP-FE scheme will be described.

Third, the KP-FE scheme will be described in detail.

<1. Construction of KP-FE Scheme>

The KP-FE scheme consists of four algorithms: Setup, KeyGen, Enc, andDec.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ, and outputs a public parameter pk and a master keysk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input anaccess structure S:=(M, ρ), the public parameter pk, and the master keysk, and outputs a decryption key sk_(S).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input amessage m, an attribute set Γ:={(t, {right arrow over (x)}_(t))|{rightarrow over (x)}_(t)εF_(q) ^(n), 1≦t≦d}, and the public parameter pk, andoutputs a ciphertext ct_(Γ).

(Dec)

A Dec algorithm is an algorithm that takes as input the ciphertextct_(Γ) encrypted under the attribute set Γ, the decryption key sk_(S)for the access structure S, and the public parameter pk, and outputs themessage m or a distinguished symbol ⊥.

<2. Configuration of Cryptographic System 10 that Implements KP-FEScheme>

FIG. 5 is a configuration diagram of the cryptographic system 10 thatimplements the KP-FE scheme according to Embodiment 2.

The cryptographic system 10 includes a key generation device 100, anencryption device 200, and a decryption device 300.

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ, and thus generates a public parameter pkand a master key sk. Then, the key generation device 100 publishes thegenerated public parameter pk. The key generation device 100 alsoexecutes the KeyGen algorithm taking as input an access structure S, andthus generates a decryption key sk_(S), and distributes the decryptionkey sk_(S) to the decryption device 300 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input amessage m, an attribute set Γ, and the public parameter pk, and thusgenerates a ciphertext ct_(Γ). The encryption device 200 transmits thegenerated ciphertext ct_(Γ) to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input thepublic parameter pk, the decryption key sk_(S), and the ciphertextct_(Γ), and thus outputs the message m or a distinguished symbol ⊥.

<3. KP-FE Scheme in Detail>

With reference to FIGS. 6 to 12, the KP-FE scheme will be described, andthe function and operation of the cryptographic system 10 thatimplements the KP-FE scheme will be described.

FIG. 6 is a configuration diagram of the key generation device 100according to Embodiment 2. FIG. 7 is a configuration diagram of theencryption device 200 according to Embodiment 2. FIG. 8 is aconfiguration diagram of the decryption device 300 according toEmbodiment 2.

FIGS. 9 and 10 show flowcharts illustrating the operation of the keygeneration device 100. FIG. 9 is a flowchart illustrating the process ofthe Setup algorithm, and FIG. 10 is a flowchart illustrating the processof the KeyGen algorithm. FIG. 11 is a flowchart illustrating theoperation of the encryption device 200 and illustrating the process ofthe Enc algorithm. FIG. 12 is a flowchart illustrating the operation ofthe decryption device 300 and illustrating the process of the Decalgorithm.

In the following description, it is assumed that x_(t,1):=1.

The function and operation of the key generation device 100 will bedescribed.

The key generation device 100 includes a master key generation unit 110,a master key storage unit 120, an information input unit 130, adecryption key generation unit 140, and a key distribution unit 150. Thedecryption key generation unit 140 includes an f vector generation unit141, an s vector generation unit 142, a random number generation unit143, and a key element generation unit 144.

First, with reference to FIG. 9, the process of the Setup algorithm willbe described.

(S101: Orthonormal Basis Generation Step)

Using the processing device, the master key generation unit 110 computesFormula 125, and thus generates a parameter param, a basis B₀ and abasis B*₀, and a basis B₁ (basis B) and a basis B*₁ (basis B*).

$\begin{matrix}\left\lbrack {{Formula}\mspace{14mu} 125} \right\rbrack & \; \\{{input}\mspace{14mu} 1^{\lambda}} & (1) \\{{param}_{}:={\left( {q,,_{T},g,e} \right)\overset{R}{}{_{bpg}\left( 1^{\lambda} \right)}}} & (2) \\{{{\psi \overset{U}{}_{q}^{x}},{N_{0}:={1 + u_{0} + 1 + w_{0} + z_{0}}},{N_{1}:={2 + n + u + w + z}}}{{{{The}\mspace{14mu} {process}\mspace{14mu} (4)\mspace{14mu} {through}\mspace{14mu} (8)\mspace{14mu} {is}\mspace{14mu} {executed}\mspace{14mu} {for}\mspace{14mu} {each}\mspace{14mu} t} = 0},1.}} & (3) \\{{param}_{_{t}}:={\left( {q,_{t},_{T},_{t},e} \right):={_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}}} & (4) \\{X_{t}:={\left( \chi_{t,i,j} \right)_{i,{j = 1},\; \cdots \mspace{14mu},N_{t}}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}} & (5) \\{X_{t}^{*}:={\left( \vartheta_{t,i,j} \right)_{i,{j = 1},\; \cdots \mspace{14mu},N_{t}}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}} & (6) \\{{b_{t,i}:={\left( {\overset{\rightarrow}{\chi}}_{t,i} \right)_{_{t}} = {{\sum_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}\mspace{14mu} {for}\mspace{14mu} i}} = 1}}},\cdots \mspace{14mu},N_{t},{_{t}:=\left( {b_{t,1},\cdots \mspace{14mu},b_{t,N_{t}}} \right)}} & (7) \\{{b_{t,i}^{*}:={\left( {\overset{\rightarrow}{\vartheta}}_{t,i} \right)_{_{t}} = {{\left( \sum_{j = 1}^{N_{t}} \right)\vartheta_{t,i,j}a_{t,j}\mspace{14mu} {for}\mspace{14mu} i} = 1}}},\cdots \mspace{14mu},N_{t},{_{t}^{*}:=\left( {b_{t,1}^{*},\cdots \mspace{14mu},b_{t,N_{t}}^{*}} \right)}} & (8) \\{{g_{T}:={{e\left( {g,g} \right)}\psi}},{{param}:=\left( {\left\{ {param}_{_{t}} \right\}_{{t = 0},1},g_{T}} \right)}} & (9)\end{matrix}$

That is, the master key generation unit 110 executes the followingprocess.

(1) Using the input device, the master key generation unit 110 takes asinput a security parameter λ(1^(λ)).

(2) Using the processing device, the master key generation unit 110executes the algorithm G_(bpg) taking as input the security parameter λ(1^(λ)) inputted in (1), and thus generates values of a parameterparam_(G):=(q, G, G_(T), g, e) of bilinear pairing groups.

(3) Using the processing device, the master key generation unit 110generates a random number w, and sets 1+u₀+1+w₀+z₀ in N₀ and 2+n+u+w+zin N₁, where n is an integer of 1 or more and u₀, w₀, z₀, u, w, and zare integers of 0 or more.

Then, the master key generation unit 110 executes the following process(4) through (8) for each t=0, 1.

(4) Using the processing device, the master key generation unit 110executes the algorithm G_(dpvs) taking as input the security parameter λ(1^(λ)) inputted in (1), N_(t) set in (3), and the values ofparam_(G):=(q, G, G_(T), g, e) generated in (2), and thus generatesvalues of a parameter param_(Vt):=(q, V_(t), G_(T), A_(t), e) of dualpairing vector spaces.

(5) Using the processing device, the master key generation unit 110takes as input N_(t) set in (3) and F_(q), and randomly generates alinear transformation X_(t):=(χ_(t,i,j))_(i,j). Note that GL stands forgeneral linear. In other words, GL is a general linear group, a set ofsquare matrices with nonzero determinants, and a group undermultiplication. Note that (χ_(t,i,j))_(i,j) denotes a matrix concerningthe suffixes i and j of the matrix χ_(t,i,j), where i, j=1, . . . ,N_(t).

(6) Using the processing device and based on the random number ψ and thelinear transformation X_(t), the master key generation unit 110generates (v_(t,i,j))_(i,j):=ψ·(X_(t) ^(T))⁻¹. Like (χ_(t,i,j))_(i,j),(v_(t,i,j))_(i,j) denotes a matrix concerning the suffixes i and j ofthe matrix v_(t,i,j), where i, j=1, . . . , N_(t).

(7) Using the processing device and based on the linear transformationX_(t) generated in (5), the master key generation unit 110 generates abasis B_(t) from the orthonormal basis A_(t) generated in (4). Note that{right arrow over (x)}_(t,i) indicates the i-th row of the lineartransformation X_(t).

(8) Using the processing device and based on (v_(t,i,j))_(i,j) generatedin (6), the master key generation unit 110 generates a basis B*_(t) fromthe orthonormal basis A_(t) generated in (4). Note that {right arrowover (v)}_(t,i) indicates the i-th row of the linear transformationX*_(t).

(9) Using the processing device, the master key generation unit 110 setse(g, g)^(ψ) in g_(T). The master key generation unit 110 also sets{param_(Vt)}_(t=0,1) generated in (4) and g_(T) in param.

In brief, in (S101), the master key generation unit 110 executes analgorithm G_(ob) indicated in Formula 126, and thus generates param, thebasis B₀ and the basis B*₀, and the basis B₁ (basis B) and the basis B*₁(basis B*).

                                [Formula  126]${{{_{ob}\left( 1^{\lambda} \right)}:{param}_{}}:={\left( {q,,_{T},g,e} \right)\overset{R}{}{_{bpg}\left( 1^{\lambda} \right)}}},{\psi \overset{U}{}_{q}^{x}},{N_{0}:={1 + u_{0} + 1 + w_{0} + z_{0}}},{N_{1}:={2 + n + u + w + z}},{{{for}\mspace{14mu} t} = 0},1,{{param}_{_{t}}:{\left( {q,_{t},_{T},_{t},e} \right):{_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}}},{X_{t}:={\left( \chi_{t,i,j} \right)_{i,{j = 1},\cdots \mspace{11mu},N_{t}}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}}$X_(t)^(*) := (ϑ_(t, i, j))_(i, j = 1, ⋯  , N_(t)) := ψ ⋅ (X_(t)^(T))⁻¹, hereafter${{\overset{\rightarrow}{\chi}}_{t,i}\mspace{14mu} {and}\mspace{14mu} {\overset{\rightarrow}{\vartheta}}_{t,i}\mspace{14mu} {denote}\mspace{14mu} {the}\mspace{20mu} \text{i-th}\mspace{14mu} {rows}\mspace{14mu} {of}\mspace{14mu} X_{t}\mspace{14mu} {and}\mspace{14mu} X_{t}^{*}}\mspace{14mu}$${{{for}\mspace{14mu} i} = 1},\cdots,N_{t},{respectively},\text{}{b_{t,i}:={\left( {\overset{\rightarrow}{\chi}}_{t,i} \right)_{_{t}} = {{\sum_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}\mspace{14mu} {for}\mspace{14mu} i}} = 1}}},\cdots,N_{t}$${{_{t}:=\left( {b_{t,1},\cdots \mspace{14mu},b_{t,N_{t}}} \right)},{b_{t,i}^{*}:={\left( {\overset{\rightarrow}{\vartheta}}_{t,i} \right)_{_{t}} = {\sum_{j = 1}^{N_{t}}{\vartheta_{t,i,j}a_{t,j}}}}}}\mspace{14mu}$for  i = 1, ⋯, N_(t), B_(t)^(*) := (b_(t, 1)^(*), ⋯  , b_(t, N_(t))^(*)), g_(T) := e(g, g)^(ψ), param := ({param_(_(t))}_(t = 0, 1), g_(T)), return  (param, _(t), _(t)^(*)).

In the following description, for simplicity, the basis B₁ and the basisB*₁ will be described as the basis B and the basis B*.

(S102: Public Parameter Generation Step)

Using the processing device, the master key generation unit 110generates a subbasis B

₀ of the basis B₀ and a subbasis B

of the basis B, as indicated in Formula 127, the bases B₀ and B havingbeen generated in (S101).

₀:=(b _(0,1) ,b _(0,1+u) ₀ ₊₁ ,b _(0,1+u) ₀ _(+1+w) ₀ ₊₁ , . . . ,b_(0,1+u) ₀ _(+1+w) ₀ _(+z) ₀ ),

:=(b ₁ , . . . ,b _(2+n) ,b _(2+n+u+w+1) , . . . ,b_(2+n+u+w+z))  [Formula 127]

The master key generation unit 110 generates a public parameter pk byputting together the generated subbasis B

₀ and subbasis B

, the security parameter λ(1^(λ)) inputted in (S101), and paramgenerated in (S101).

(S103: Master Key Generation Step)

Using the processing device, the master key generation unit 110generates a subbasis B

*₀ of the basis B*₀ and a subspace B

* of the basis B*, as indicated in Formula 128, the bases B*₀ and B

* having been generated in (S101).

*₀:=(b* _(0,1) ,b* _(0,1+u) ₀ ₊₁ ,b* _(0,1+u) ₀ ₊₁₊₁ , . . . ,b*_(0,1+u) ₀ _(+1+w) ₀ ),

*:=(b* ₁ , . . . ,b* _(2+n) ,b* _(2+n+u+1) , . . . ,b*_(2+n+u+w))  [Formula 128]

The master key generation unit 110 generates a master key sk which isconstituted by the generated subbasis B

*₀ and subbasis B

*.

(S104: Master Key Storage Step)

The master key storage unit 120 stores the parameter pk generated in(S102) in the storage device. The master key storage unit 120 alsostores the master key sk generated in (S103) in the storage device.

In brief, in (S101) through (S103), the key generation device 100executes the Setup algorithm indicated in Formula 129, and thusgenerates the public parameter pk and the master key sk. In (S104), thekey generation device 100 stores the generated public parameter pk andmaster key sk in the storage device.

The public parameter is published, for example, via the network, and ismade available for the encryption device 200 and the decryption device300.

 Setup   ( 1 λ )  :    ( param , ( 0 , 0 * ) , ( , * ) )  ← R ob  ( 1 λ ) ,  ^ 0 := ( b 0 , 1 , b 0 , 1 + u 0 + 1 , b 0 , 1 + u 0 +1 + w 0 + 1 , …  , b 0 , 1 + u 0 + 1 + w 0 + z 0 ) ,  ^ := ( b 1 , … , b 2 + n , b 2 + n + u + w + 1 , …  , b 2 + n + u + w + z ) ,  ^ 0 *:= ( b 0 , 1 * , b 0 , 1 + u 0 + 1 , b 0 , 1 + u 0 + 1 + 1 , …  , b 0 ,1 + u 0 + 1 + w 0 ) ,  ^ * := ( b 1 * , …  , b 2 + n * , b 2 + n + u +1 , …  , b 2 + n + u + w * ) ,   return   pk := ( 1 λ , param , ^ 0, ^ ) , sk := ( ^ 0 * , ^ * ) . [ Formula   129 ]

With reference to FIG. 10, the process of the KeyGen algorithm will bedescribed.

(S201: Information Input Step)

Using the input device, the information input unit 130 takes as inputthe above-described access structure S:=(M, ρ). Note that the matrix Mof the access structure S is to be set according to the conditions of asystem to be implemented. Note also that attribute information of theuser of a decryption key sk_(S) is set in ρ of the access structure S,for example.

(S202: f Vector Generation Step)

Using the processing device, the f vector generation unit 141 randomlygenerates a vector {right arrow over (f)} having r pieces of elements,as indicated in Formula 130.

f →  ← U  q r [ Formula   130 ]

(S203: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mincluded in the access structure S inputted in (S201) and the vector{right arrow over (f)} generated in (S202), the s vector generation unit142 generates a vector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicated in Formula 131.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 131]

Using the processing device and based on the vector {right arrow over(f)} generated in (S202), the s vector generation unit 142 alsogenerates a value s₀, as indicated in Formula 132.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 132]

(S204: Random Number Generation Step)

Using the processing device, the random number generation unit 143generates random numbers, as indicated in Formula 133.

η → 0 := ( η 0 , 1 , …  , η 0 , w 0 )  ← U  q w 0 ,  μ i , θ i  ← U q ,  η → i := ( η i , 1 , …  , η i , w )  ← U  q w   for   i =1 , …  , L [ Formula   133 ]

(S205: Key Element Generation Step)

Using the processing device, the key element generation unit 144generates an element k*₀ of the decryption key sk_(S), as indicated inFormula 134.

k 0 * := ( - s 0 , 0 u 0  u 0 , 1 , η → 0  w 0 , 0 z 0  z 0 , ) 0 * [Formula   134 ]

As described above, for the basis B and the basis B* indicated inFormula 113, Formula 114 is established. Thus, Formula 134 means that−s₀ is set as the coefficient of a basis vector b*_(0,1) of the basisB*₀, 0 is set as the coefficient of basis vectors b*_(0,1+1), . . . ,b*_(0,1+u), 1 is set as the coefficient of a basis vector b*_(0,1+u0+1),η_(0,1), . . . , η_(0,w0) are respectively set as the coefficient ofbasis vectors b*_(0,1+u0+1+1), . . . , b_(0,1+u0+1+w0), and 0 is set asthe coefficient of basis vectors b*_(0,1+u0+1+w0+1), . . . ,b*_(0,1+u0+1+w0+z0), where u0, w0, and z0 respectively denote u₀, w₀,and z₀.

Using the processing device, the key element generation unit 144 alsogenerates an element k*_(i) of the decryption key sk_(S) for eachinteger i=1, . . . , L, as indicated in Formula 135.

for   i = 1 , …  , L ,  if   ρ  ( i ) = ( t , v → i ) ,  k i *:= ( u i  ( t , - 1 , ) , s i  e → 1 + θ i  v → i   2 + n   0 u , u  η → i ,  w  0 z  z ) * ,  if   ρ  ( i ) =  ( t , v → i ) , k i * := ( u i  ( t , - 1 , ) , s i  v → i ,   2 + n   0 u ,  u η → i ,  w  0 z  z ) * [ Formula   135 ]

That is, like Formula 134, the meaning of Formula 135 is as explainedbelow. When ρ(i) is a positive set (t, {right arrow over (v)}_(i)), pitis set as the coefficient of a basis vector b*₁ of the basis B*, −μ_(i)is set as the coefficient of a basis vector b*₂, s_(i)+θ_(i)v_(i,1) isset as the coefficient of a basis vector b*₂₊₁, θ_(i)v_(i,2), . . . ,θ_(i)v_(i,n) are respectively set as the coefficient of basis vectorsb*₂₊₂, . . . , b*_(2+n), 0 is set as the coefficient of basis vectorsb*_(2+n+1), . . . , b*_(2+n+u), η_(i,1), . . . , η_(i,w) arerespectively set as the coefficient of basis vectors b*_(2+n+u+1), . . ., b*_(2+n+u+w), and 0 is set as the coefficient of basis vectorsb*_(2+n+u+w+1), . . . , b*_(2+n+u+w+z).

On the other hand, when ρ(i) is a negative set

(t, {right arrow over (v)}_(i)), it is set as the coefficient of thebasis vector b*₁ of the basis B*, −μ_(i) is set as the coefficient ofthe basis vector b*₂, s_(i)v_(i,1), . . . , s_(i)v_(i,n) arerespectively set as the coefficient of the basis vectors b*₂₊₁, . . . ,b*_(2+n), 0 is set as the coefficient of the basis vectors b*_(2+n+1), .. . , b*_(2+n+u), η_(i,1), . . . , η_(i,w) are respectively set as thecoefficient of the basis vectors b*_(2+n+u+1), . . . , b*_(2+n+u+w), and0 is set as the coefficient of the basis vectors b*_(2+n+u+w+1), . . . ,b*_(2+n+u+w+z).

(S206: Key Distribution Step)

Using the communication device and via the network, for example, the keydistribution unit 150 distributes the decryption key sk_(S) having, aselements, the access structure S inputted in (S201) and k*₀, k*₁, . . ., and k*_(L) generated in (S205) to the decryption device 300 insecrecy. As a matter of course, the decryption key sk_(S) may bedistributed to the decryption device 300 by another method.

In brief, in (S201) through (S205), the key generation device 100executes the KeyGen algorithm indicated in Formula 136, and thusgenerates the decryption key sk_(S). In (S206), the key generationdevice 100 distributes the generated decryption key sk_(S) to thedecryption device 300.

KeyGen  ( pk , sk , := ( M , ρ ) )  :   f →  ← U  q r ,  s 0 := 1→ · f → T , s → T := ( s 1 , …  , s L ) T := M · f → T ,  η → 0  ← U q w 0 ,  k 0 * := ( - s 0 , 0 u 0  u 0 , 1 , η → 0  w 0 , 0 z 0  z0 , ) 0 * ,  for   i = 1 , …  , L , μ i , θ i  ← U  q , η → i  ←U  q w ,  if   ρ  ( i ) = ( t , v → i ) ,  k i * := ( u i  ( t, - 1 , ) , s i  e → 1 + θ i  v → i   2 + n   0 u ,  u  η → i , w  0 z  z ) * ,  if   ρ  ( i ) =  ( t , v → i ) ,  k i * := (u i  ( t , - 1 , ) , s i  v → i   2 + n   0 u ,  u  η → i ,  w 0 z  z ) * ,  return   sk := ( , k 0 * , k 1 * , …  , k L * ) . [Formula   136 ]

The function and operation of the encryption device 200 will bedescribed.

The encryption device 200 includes a public parameter acquisition unit210, an information input unit 220, a cipher data generation unit 230,and a data transmission unit 240. The cipher data generation unit 230includes a random number generation unit 231 and a cipher elementgeneration unit 232.

With reference to FIG. 11, the process of the Enc algorithm will bedescribed.

(S301: Public Parameter Acquisition Step)

Using the communication device and via the network, for example, thepublic parameter acquisition unit 210 obtains the public parameter pkgenerated by the key generation device 100.

(S302: Information Input Step)

Using the input device, the information input unit 220 takes as input amessage m to be transmitted to the decryption device 300. Using theinput device, the information input unit 220 also takes as input anattribute set Γ:={(t, {right arrow over (x)}_(t):=(x_(t,1), . . . ,x_(t,n)εFq^(n))) 1≦t≦d}. Note that t may be at least some integers from1 to d, instead of being all of integers from 1 to d. Note thatinformation on the attributes of the user capable of decryption is setin the attribute set Γ, for example.

(S303: Random Number Generation Step)

Using the processing device, the random number generation unit 231generates random numbers, as indicated in Formula 137.

ω , ζ  ← U  q , ϕ → 0 := ( ϕ 0 , 1 , …  , ϕ 0 , z 0 )  ← U  q z 0 , σ t  ← U  q ,  ϕ → 0 := ( ϕ t , 1 , …  , ϕ t , z )  ← U  q z  for   ( t , x → t ) ∈ Γ [ Formula   137 ]

(S304: Cipher Element Generation Step)

Using the processing device, the cipher element generation unit 232generates an element c₀ of a ciphertext ct_(Γ), as indicated in Formula138.

c 0 := ( ω , 0 u 0 ,  u 0  ζ , 0 w 0 ,  w 0  ϕ → 0  z 0 ) 0 [Formula   138 ]

Using the processing device, the cipher element generation unit 232 alsogenerates an element c_(t) of the ciphertext ct_(Γ) for each integer tincluded in the attribute information Γ, as indicated in Formula 139.

c t := ( σ t  ( 1 , t ) , ω   x → t ,  2 + n  0 u ,  u 0  0 w , w 0  ϕ → t  z 0 ) [ Formula   139 ]

Using the processing device, the cipher element generation unit 232 alsogenerates an element c_(d+1) of the ciphertext ct_(Γ), as indicated inFormula 140.

c _(d+1) :=g _(T) ^(ζ) m  [Formula 140]

(S305: Data Transmission Step)

Using the communication device and via the network, for example, thedata transmission unit 240 transmits the ciphertext ct_(Γ) having, aselements, the attribute set Γ inputted in (S302) and c₀, c_(t), andc_(d+1) generated in (S304) to the decryption device 300. As a matter ofcourse, the ciphertext ct_(Γ) may be transmitted to the decryptiondevice 300 by another method.

In brief, in (S301) through (S304), the encryption device 200 executesthe Enc algorithm indicated in Formula 141, and thus generates theciphertext ct_(Γ). In (S305), the encryption device 200 transmits thegenerated ciphertext ct_(Γ) to the decryption device 300.

Enc ( pk , m , Γ := { ( t , x t := ( x t , 1 , …  , x t , n ) ∈ q n  \ { 0 } )  1 ≤ t ≤ d } )  :   ω , ζ  ← U  q , ϕ → 0  ← U  q z 0,  c 0 := ( ω , 0 u 0 ,  u 0  ζ , 0 w 0 ,  w 0  ϕ → 0  z 0 ) 0 , cd + 1 := g T ζ  m ,  for   ( t , x → t ) ∈ Γ , σ t  ← U  q , ϕ → t ← U  q z ,  c t := ( σ t  ( 1 , t ) , ω   x → t ,  2 + n  0 u , u 0  0 w ,  w 0  ϕ → t  z 0 ) ,  return   ct Γ := ( Γ , c 0 , {c t } ( t , x → t ) ∈ Γ , c d + 1 ) . [ Formula   141 ]

The function and operation of the decryption device 300 will bedescribed.

The decryption device 300 includes a decryption key acquisition unit310, a data receiving unit 320, a span program computation unit 330, acomplementary coefficient computation unit 340, a pairing operation unit350, and a message computation unit 360.

With reference to FIG. 12, the process of the Dec algorithm will bedescribed.

(S401: Decryption Key Acquisition Step)

Using the communication device and via the network, for example, thedecryption key acquisition unit 310 obtains the decryption keysk_(S):=(S, k*₀, k*₁, . . . , k*_(L)) distributed by the key generationdevice 100. The decryption key acquisition unit 310 also obtains thepublic parameter pk generated by the key generation device 100.

(S402: Data Reception Step)

Using the communication device and via the network, for example, thedata receiving unit 320 receives the ciphertext ct_(Γ) transmitted bythe encryption device 200.

(S403: Span Program Computation Step)

Using the processing device, the span program computation unit 330checks whether or not the access structure S included in the decryptionkey sk_(S) obtained in (S401) accepts Γ included in the ciphertextct_(Γ) received in (S402). The method for checking whether or not theaccess structure S accepts Γ is the same as that described in “5.Concept for implementing functional encryption in Embodiment 1”.

If the access structure S accepts Γ (accept in S403), the span programcomputation unit 330 advances the process to (S404). If the accessstructure S rejects Γ (reject in S403), the span program computationunit 330 determines that the ciphertext ct_(Γ) cannot be decrypted withthe decryption key sk_(S), and ends the process.

(S404: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computationunit 340 computes I and a constant (complementary coefficient){α_(i)}_(iε1) such that Formula 142 is satisfied.

{right arrow over (1)}=Σ_(iεI)α_(i) M _(i), where M _(i) is the i-th rowof M,

and I⊂{iε{1, . . . ,L}|[ρ(i)=(t,{right arrow over (v)} _(i))

(t,{right arrow over (x)} _(t))εΓ

{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)=0]

[ρ(i)=

(t,{right arrow over (v)} _(i))

(t,{right arrow over (x)} _(t))εΓ

{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)≠0]}  [Formula142]

(S405: Pairing Operation Step)

Using the processing device, the pairing operation unit 350 computesFormula 143, and thus generates a session key K=g_(T) ^(ζ).

$\begin{matrix}{K:={{e\left( {c_{0},k_{0}^{*}} \right)}{\sum\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}^{\;}\; {{e\left( {c_{t},k_{i}^{*}} \right)}\alpha_{i}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; {{e\left( {c_{t},k_{i}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 143} \right\rbrack\end{matrix}$

As indicated in Formula 144, the key K=g_(T) ^(ζ) can be obtained bycomputing Formula 143.

$\begin{matrix}{{{e\left( {c_{0},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}^{\;}\; {{e\left( {c_{t},k_{i}^{*}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; {{e\left( {c_{t},k_{i}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}} \right)}}}}}}} = {{g_{T}^{{{- \omega}\; s_{0}} + \zeta}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}^{\;}\; {g_{T}^{\omega \; \alpha_{i}s_{i}}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; g_{T}^{\omega \; \alpha_{i}{s_{i}{({{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}})}}{({{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}})}}}}}} = {g_{T}^{{\omega {({{- s_{0}} + {\sum\limits_{i \in I}^{\;}\; {\alpha_{i}s_{i}}}})}} + \zeta} + {g_{T}^{\zeta}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack\end{matrix}$

(S406: Message Computation Step)

Using the processing device, the message computation unit 360 computesm′=c_(d+1)/K, and thus generates a message m′ (=m). Note that c_(d+1) isg_(T) ^(ζ)m, as indicated in Formula 142, and that K is g_(T) ^(ζ).Hence, the message m can be obtained by computing m′=c_(d+1)/K.

In brief, in (S401) through (S406), the decryption device 300 executesthe Dec algorithm indicated in Formula 145, and thus generates themessage m′ (=m).

Dec  ( pk , sk := ( , k 1 * , …  , k L * ) , ct Γ := ( Γ , { c t } x →t ∈ Γ , c d + 1 ) )  :    If   := ( M , ρ )   accepts   Γ := {( t , x → t ) } ,   then   compute   I   and   { α i } i ∈ I  such   that    1 → = ∑ i ∈ I   α i  M i ,   where    M i  is   the   i  -  th   row   of   M ,   and   I ⊆ { i∈ { 1 , …  , L }     [   ρ  ( i ) = ( t , v → i ) ⋀ ( t , x → t ) ∈Γ ⋀ v → i · x → t = 0 ] ⋁ [   ρ  ( i ) =  ( t , v → i ) ⋀ ( t , x → t) ∈ Γ ⋀ v → i · x → t ≠ 0 ] }   K := e  ( c 0 , k 0 * )  ∑ i ∈ I ⋀ ρ ( i ) = ( t , v → i )   e  ( c t , k i * )  α i  ∏ i ∈ I ⋀ ρ  (i ) = ( t , v → i )   e  ( c t , k i * )  α i / ( v → i · x → t ) ,  return   m ′ := c d + 1 / K . [ Formula   145 ]

As described above, in the cryptographic system 10 according toEmbodiment 2, μ_(i)t and −μ_(i) are respectively set as the coefficientof the basis vectors b*₁ and b*₂ for the element k*_(i) of thedecryption key sk_(S). In the cryptographic system 10, σ_(t) and σ_(t)tare respectively set as the coefficient of the basis vectors b₁ and b₂for the element c_(t) of the ciphertext ct_(Γ).

Because of these arrangements, when a pairing operation is performed onthe element k*_(i) and the element c_(t) for the corresponding index t,an inner-product of 0 is obtained for portions constituted by the basisvectors b*₁ and b*₂ and the basis vectors b₁ and b₂, which are thuscanceled out. That is, when a pairing operation is performed on theelement k*_(i) and the element c_(t) for the corresponding index t, theindex parts that are set as the coefficients of the basis vectors(portions constituted by the basis vectors b*₁ and b*₂ and the basisvectors b₁ and b₂) are canceled out, and a result of the pairingoperation for the remaining portions can be obtained.

In the cryptographic system 10 according to Embodiment 2, the indexparts are provided, so that the bases that are used for every attributecategory can be constructed as the common bases (basis B and basis B*).As a result, only the basis B and the basis B* need to be included in apublic parameter, eliminating the need for reissuing the publicparameter when an attribute category is to be added at a later stage.

In the cryptographic system 10 according to Embodiment 2, the publicparameter and the master secret key are of smaller sizes compared withthose in the functional encryption scheme described in Non-PatentLiterature 29. Therefore, calculations using the public parameter andthe master secret key can be performed efficiently.

For the index parts, it is required that 0 be obtained as a result of aninner-product operation of the index parts. Therefore, although the2-dimensional index parts, namely the basis vectors b*₁ and b*₂ and thebasis vectors b₁ and b₂, are employed in the above description, theindex parts are not limited to 2-dimensional and may be 3-dimensional orhigher-dimensional. The values assigned to the index parts are notlimited to those described above, and a different assignment arrangementmay be employed.

The functional encryption scheme has been described above. As indicatedin Formula 146 through Formula 149, however, the functional encryptionscheme described above can be modified into an attribute-basedencryption scheme. Note that N₀ is 1+1+1+1+1=5 and N₁ is 2+2+8+2+2=16 inFormula 146 through Formula 149. That is, u₀=1, w₀=1, z₀=1, n=2, u=8,w=2, and z=2. Even in this case, security can be proven.

 Setup   ( 1 λ )  :    ( param , ( 0 , 0 * ) , ( , * ) )  ← R ob  ( 1 λ ) , / * N = 16 * /  ^ 0 := ( b 0 , 1 , b 0 , 3 , b 0 , 5 ) ,^ := ( b 1 , …  , b 4 , b 15 , b 16 ) ,  ^ 0 * := ( b 0 , 1 , b 0 , 3, b 0 , 4 ) , ^ * := ( b 1 * , …  , b 4 * , b 13 * , b 14 * ) ,  return   pk := ( 1 λ , param , ^ 0 , ^ ) , sk := ( ^ 0 * , ^ * ) .  ob  ( 1 λ )  :   := ( q , , T , g , e )  ← R  bpg  ( 1 λ ) ,  ψ  ← U  q x ,   N 0 := 5 , N 1 := 16 ,   for   t = 0 , 1 ,  :=( q , t , T , t , e ) := dpvs  ( 1 λ , N t , ) ,   X t := ( χ t , i ,j ) i , j = 1 , …  , N t  ← U  GL  ( N t , q ) ,   X t * := ( ϑ t, i , j ) i , j = 1 , …  , N t := ψ · ( X t T ) - 1 ,   hereafter , χ→ t , i    and    ϑ → t , i   denote   the   i  -  th  rows   of   X t     and     X t *   for   i = 1 , …  ,N t ,   respectively ,   b t , i := ( χ → t , i ) t = ∑ j = 1 N t  χ t , i , j  a t , j   for   i = 1 , …  , N t ,   t := ( b t ,1 , …  , b t , N t ) ,   b t , i * := ( ϑ → t , i ) t = ∑ j = 1 N t  ϑ t , i , j  a t , j   for   i = 1 , …  , N t ,   t * := ( b t, 1 * , …  , b t , N t * ) ,   g T := e  ( g , g )  ψ , param := ({ } t = 0 , 1 , g T ) ,   return  ( param , , * ) . [ Formula   146]  KeyGen  ( pk , sk , := ( M , ρ ) )  :    f →  ← U  q r ,  s 0 := 1 → · f → T ,   s → T := ( s 1 , …  , s L ) T := M · f → T ,  η 0  ← U  q ,   k 0 * := ( - s 0 , 0 , 1 , η 0 , 0 ) 0 * ,   for  i = 1 , …  , L ,   μ i , θ i , η i , 1 , η i , 2  ← U  q ,  if   ρ  ( i ) = ( t , v i ) ,  k i * := ( u i  ( t , - 1 , ) , si + θ i  v i - θ i   4   0 8 ,  8  η i , 1 , η i , 2 ,  2  0 2 2 ) * ,   if   ρ  ( i ) =  ( t , v i ) ,   k i * := ( u i  (t , - 1 , ) , s i  ( v i , - 1 ) ,   4   0 8 ,  8  η i , 1 , η i, 2 ,  2  0 2  2 ) * ,   return   sk := ( , k 0 * , k 1 * , …  ,k L * ) . [ Formula   147 ]  Enc  ( pk , m , Γ := { ( t , x t )  1≤ t ≤ d } )  :    ω , ζ , ϕ 0  ← U  q ,   c 0 := ( ω , 0 , ζ , 0, ϕ 0 ) 0 ,   c d + 1 := g T ζ  m ,   for  ( t , x t ) ∈ Γ , σ t ,ϕ t , 1 , ϕ t , 2  ← U  q ,   c t = ( σ i  ( 1 , t ) , ω  ( 1 , xt ) ,  4  0 8 ,  8  0 2 ,  2  ϕ t , 1 , ϕ t , 2  2 ) ,   return  ct Γ := ( Γ , c 0 , { c t } ( t , x t ) ∈ Γ , c d + 1 ) . [ Formula  148 ]  Dec  ( pk , sk := ( , k 1 * , …  , k L * ) ,   ct Γ := ( Γ , { c t } x t ∈ Γ , c d + 1 ) )  :    If   := ( M , ρ )  accepts   Γ := { ( t , x t ) } ,   then   compute   I   and  { α i } i ∈ I   such   that    1 → = ∑ i ∈ I   α i  M i ,  where    M i   is   the   i  -  th   row   of   M ,  and   I ⊆ { i ∈ { 1 , …  , L }     [  ρ  ( i ) = ( t , v i ) ⋀( t , x t ) ∈ Γ ] ⋁ [  ρ  ( i ) =  ( t , v i ) ⋀ ( t , x t ) ∈ Γ ⋀ vi ≠ x t ] } ,  K := e  ( c 0 , k 0 * ) · ∏ i ∈ I ⋀ ρ  ( i ) = ( t , vi )   e  ( c t , k i * )  α i  ∏ i ∈ I ⋀ ρ  ( i ) =  ( t , v i )  e  ( c t , k i * )  α i / ( v i · x i ) ,   return   m ′ := cd + 1 / K . [ Formula   149 ]

Embodiment 3

Like Embodiment 2, this embodiment describes a narrowly-definedcryptographic processing scheme. In particular, this embodimentdescribes a ciphertext-policy functional encryption (CP-FE) scheme.

Note that cipher-text policy means that a policy, namely an accessstructure, is embedded in a ciphertext.

First, the construction of the CP-FE scheme will be described.

Second, the configuration of a cryptographic system 10 that implementsthe CP-FE scheme will be described.

Third, the CP-FE scheme will be described in detail.

<1. Construction of CP-FE Scheme>

The CP-FE scheme consists of four algorithms: Setup, KeyGen, Enc, andDec.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ, and outputs a public parameter pk and a master keysk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input anattribute set Γ:={(t, {right arrow over (x)}_(t))|{right arrow over(x)}_(t)εF_(q) ^(n), 1≦t≦d}, the public parameter pk, and the master keysk, and outputs a decryption key sk_(Γ).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input amessage m, an access structure S:=(M, ρ), and the public parameter pk,and outputs a ciphertext ct_(S).

(Dec)

A Dec algorithm is an algorithm that takes as input the ciphertextct_(S) encrypted under the access structure S, the decryption key sk_(Γ)for the attribute set F, and the public parameter pk, and outputs themessage m or a distinguished symbol ⊥.

<2. Configuration of Cryptographic System 10 that Implements CP-FEScheme>

FIG. 13 is a configuration diagram of the cryptographic system 10 thatimplements the CP-FE scheme according to Embodiment 3.

The cryptographic system 10 includes a key generation device 100, anencryption device 200, and a decryption device 300.

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ, and thus generates a public parameter pkand a master key sk. Then, the key generation device 100 publishes thegenerated public parameter pk. The key generation device 100 alsoexecutes the KeyGen algorithm taking as input an attribute set Γ, andthus generates a decryption key sk_(Γ), and distributes the decryptionkey sk_(Γ) to the decryption device 300 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input amessage m, an access structure S, and the public parameter pk, and thusgenerates a ciphertext ct_(S). The encryption device 200 transmits thegenerated ciphertext ct_(S) to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input thepublic parameter pk, the decryption key sk_(S), and the ciphertextct_(S), and outputs the message m or a distinguished symbol ⊥.

<3. CP-FE Scheme in Detail>

With reference to FIGS. 14 to 19, the CP-FE scheme will be described,and the function and operation of the cryptographic system 10 thatimplements the CP-FE scheme will be described.

FIG. 14 is a configuration diagram of the key generation device 100according to Embodiment 3. FIG. 15 is a configuration diagram of theencryption device 200 according to Embodiment 3. FIG. 16 is aconfiguration diagram of the decryption device 300 according toEmbodiment 3.

FIG. 17 is a flowchart illustrating the operation of the key generationdevice 100 and illustrating the process of the KeyGen algorithm. FIG. 18is a flowchart illustrating the operation of the encryption device 200and illustrating the process of the Enc algorithm. FIG. 19 is aflowchart illustrating the operation of the decryption device 300 andillustrating the process of the Dec algorithm.

In the following description, it is assumed that x_(t,1):=1.

The process of the Setup algorithm is the same as the process describedin Embodiment 2, and thus will not be described.

The function and operation of the key generation device 100 will bedescribed.

The key generation device 100 includes a master key generation unit 110,a master key storage unit 120, an information input unit 130, adecryption key generation unit 140, and a key distribution unit 150. Thedecryption key generation unit 140 includes a random number generationunit 143 and a key element generation unit 144.

With reference to FIG. 17, the process of the KeyGen algorithm will bedescribed.

(S501: Information Input Step)

Using the input device, the information input unit 130 takes as input anattribute set Γ:={(t, {right arrow over (x)}_(t):=(x_(t,1), . . . ,x_(t,n)εF_(q) ^(n))) 1≦t≦d}. Note that attribute information of the userof a decryption key sk_(Γ) is set in the attribute set Γ, for example.

(S502: Random Number Generation Step)

Using the processing device, the random number generation unit 143generates random numbers, as indicated in Formula 150.

 ω  ← U  q , ϕ → 0 := ( ϕ 0 , 1 , …  , ϕ 0 , w 0 )  ← U  q w 0 , σ t  ← U  q , ϕ → t := ( ϕ t , 1 , …  , ϕ t , w )  ← U  q w   for  ( t , x → t ) ∈ Γ [ Formula   150 ]

(S503: Key Element Generation Step)

Using the processing device, the key element generation unit 144generates an element k*₀ of the decryption key sk_(Γ), as indicated inFormula 151.

$\begin{matrix}{k_{0}^{*}:=\left( {\omega,{\overset{\overset{u_{0}}{}}{0^{u_{0}},}1},{\overset{\overset{w_{0}}{}}{{\overset{\rightarrow}{\phi}}_{0},}\overset{\overset{z_{0}}{}}{0^{z_{0}},}}} \right)_{_{0}^{*}}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack\end{matrix}$

Using the processing device, the key element generation unit 144 alsogenerates an element k*_(t) of the decryption key sk_(Γ) for eachinteger t included in the attribute set Γ, as indicated in Formula 152.

$\begin{matrix}{k_{t}^{*}:=\left( {\overset{\overset{2 + n}{}}{{\sigma_{t}\left( {1,t} \right)},{\omega {\overset{\rightarrow}{\; x}}_{t}},}\; \overset{\overset{u}{}}{0^{u},}\overset{\overset{w}{}}{{\overset{\rightarrow}{\phi}}_{t},}\overset{\overset{z}{}}{0^{z}}} \right)_{^{*}}} & \left\lbrack {{Formula}\mspace{14mu} 152} \right\rbrack\end{matrix}$

(S504: Key Distribution Step)

Using the communication device and via the network, for example, the keydistribution unit 150 distributes the decryption key sk_(Γ) having, aselements, the attribute set Γ inputted in (S501) and k*₀ and k*_(t)generated in (S503) to the decryption device 300 in secrecy. As a matterof course, the decryption key sk_(Γ) may be distributed to thedecryption device 300 by another method.

In brief, in (S501) through (S503), the key generation device 100executes the KeyGen algorithm indicated in Formula 153, and thusgenerates the decryption key sk_(Γ). In (S504), the key generationdevice 100 distributes the generated decryption key sk_(Γ) to thedecryption device 300.

$\begin{matrix}{{{{KeyGen}\left( {{pk},{sk},{\Gamma:=\left\{ \left( {t,{{\overset{\rightarrow}{x}}_{t}:={\left( {x_{1,t},\ldots \mspace{14mu},x_{t,n}} \right) \in {_{q}^{n}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right) \middle| {1 \leq t \leq d} \right\}}} \right)}\text{:}}\mspace{20mu} {{\omega \overset{U}{}_{q}},{{\overset{\rightarrow}{\phi}}_{0}\overset{U}{}_{q}^{w_{0}}},\mspace{20mu} {k_{0}^{*}:=\left( {\omega,{\overset{\overset{u_{0}}{}}{0^{u_{0}},}1},{\overset{\overset{w_{0}}{}}{{\overset{\rightarrow}{\phi}}_{0},}\overset{\overset{z_{0}}{}}{0^{z_{0}},}}} \right)_{_{0}^{*}}},\mspace{20mu} {{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma},{\sigma_{t}\overset{U}{}_{q}},{{\overset{\rightarrow}{\phi}}_{t}\overset{U}{}_{q}^{w}},\mspace{20mu} {k_{t}^{*}:=\left( {\overset{\overset{2 + n}{}}{{\sigma_{t}\left( {1,t} \right)},{\omega {\overset{\rightarrow}{\; x}}_{t}},}\overset{\overset{u}{}}{0^{u},}\overset{\overset{w}{}}{{\overset{\rightarrow}{\phi}}_{t},}\overset{\overset{z}{}}{0^{z}}} \right)_{^{*}}},\mspace{20mu} {{{return}\mspace{14mu} {sk}_{\Gamma}}:={\left( {\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma}} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 153} \right\rbrack\end{matrix}$

The function and operation of the encryption device 200 will bedescribed.

The encryption device 200 includes a public parameter acquisition unit210, an information input unit 220, a cipher data generation unit 230,and a data transmission unit 240. The cipher data generation unit 230includes a random number generation unit 231, a cipher elementgeneration unit 232, an f vector generation unit 233, and an s vectorgeneration unit 234.

With reference to FIG. 18, the process of the Enc algorithm will bedescribed.

(S601: Public Parameter Acquisition Step)

Using the communication device and via the network, for example, thepublic parameter acquisition unit 210 obtains the public parameter pkgenerated by the key generation device 100.

(S602: Information Input Step)

Using the input device, the information input unit 220 takes as input anaccess structure S:=(M, ρ). Note that the access structure S is to beset according to the conditions of a system to be implemented. Note alsothat attribute information of the user capable of decryption is set in ρof the access structure S, for example.

Using the input device, the information input unit 220 also takes asinput a message m to be transmitted to the decryption device 300.

(S603: f Vector Generation Step)

Using the processing device, the f vector generation unit 233 randomlygenerates a vector {right arrow over (f)} having r pieces of elements,as indicated in Formula 154.

$\begin{matrix}{\overset{\rightarrow}{f}\overset{U}{}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack\end{matrix}$

(S604: s Vector Generation Step)

Using the processing device and based on an (L rows×r columns) matrix Mincluded in the access structure S inputted in (S602) and the vector{right arrow over (f)} generated in (S603), the s vector generation unit234 generates a vector {right arrow over (s)}^(T):=(s₁, . . . ,s_(L))^(T), as indicated in Formula 155.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 155]

Using the processing device and based on the vector {right arrow over(f)} generated in (S603), the s vector generation unit 234 alsogenerates a value s₀, as indicated in Formula 156.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 156]

(S605: Random Number Generation Step)

Using the processing device, the random number generation unit 231generates random numbers, as indicated in Formula 157.

$\begin{matrix}{{{\zeta \overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{0}:={\left( {\eta_{0,1},\cdots \mspace{14mu},\eta_{0,z_{0}}} \right)\overset{U}{}_{q}^{z_{0}}}},{{{for}\mspace{20mu} i} = 1},\cdots \mspace{14mu},L}{{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mu_{i},{\theta_{i}\overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{i}:={\left( {\eta_{i,1},\cdots \mspace{14mu},\eta_{i,z}} \right)\overset{U}{}_{q}^{z}}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mu_{i},{\overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{i}:={\left( {\eta_{i,1},\cdots \mspace{14mu},\eta_{i,z}} \right)\overset{U}{}_{q}^{z}}}}} & \left\lbrack {{Formula}\mspace{20mu} 157} \right\rbrack\end{matrix}$

(S606: Cipher Element Generation Step)

Using the processing device, the cipher element generation unit 232generates an element c₀ of cipher data c, as indicated in Formula 158.

$\begin{matrix}{c_{0}:=\left( {{- s_{0}},{\overset{\overset{u_{0}}{}}{0^{u_{0}},}\zeta},{\overset{\overset{w_{0}}{}}{0^{w_{0}},}\overset{\overset{z_{0}}{}}{{\overset{\rightarrow}{\eta}}_{0}}}} \right)_{_{0}}} & \left\lbrack {{Formula}\mspace{14mu} 158} \right\rbrack\end{matrix}$

Using the processing device, the cipher element generation unit 232 alsogenerates an element c_(i) of the cipher data c for each integer i=1, .. . , L, as indicated in Formula 159.

$\begin{matrix}{{{{for}\mspace{14mu} i} = 1},\cdots \mspace{14mu},L,{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},{c_{i}:=\left( {\overset{\overset{2 + n}{}}{{\mu_{i}\left( {t,{- 1}} \right)},{{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},}\overset{\overset{u}{}}{0^{u},}\overset{\overset{w}{}}{0^{w},}\overset{\overset{z}{}}{{\overset{\rightarrow}{\eta}}_{i}}} \right)_{}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{c_{i}:=\left( {\overset{\overset{2 + n}{}}{{\mu_{i}\left( {t,{- 1}} \right)},{s_{i}{\overset{\rightarrow}{v}}_{i}},}\overset{\overset{u}{}}{0^{u},}\overset{\overset{w}{}}{0^{w},}\overset{\overset{z}{}}{{\overset{\rightarrow}{\eta}}_{i}}} \right)_{}}} & \left\lbrack {{Formula}\mspace{14mu} 159} \right\rbrack\end{matrix}$

Using the processing device, the cipher element generation unit 232 alsogenerates an element c_(d+1) of the cipher data c, as indicated inFormula 160.

c _(d+1) :=g _(T) ^(ζ) m  [Formula 160]

(S607: Data Transmission Step)

Using the communication device and via the network, for example, thedata transmission unit 240 transmits a ciphertext ct_(S) having, aselements, the access structure S inputted in (S602) and c₀, c₁, . . . ,c_(L), and c_(d+1) generated in (S606) to the decryption device 300. Asa matter of course, the ciphertext ct_(S) may be transmitted to thedecryption device 300 by another method.

In brief, in (S601) through (S606), the encryption device 200 executesthe Enc algorithm indicated in Formula 161, and thus generates theciphertext ct_(S). In (S607), the encryption device 200 transmits thegenerated ciphertext ct_(S) to the decryption device 300.

$\begin{matrix}{{{{Enc}\left( {{pk},m,{:=\left( {M,\rho} \right)}} \right)}\text{:}}{{f\overset{U}{}_{q}^{r}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\cdots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{\zeta \overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{0}\overset{U}{}_{q}^{z_{0}}},{c_{0}:=\left( {{- s_{0}},{\overset{\overset{u_{0}}{}}{0^{u_{0}},}\zeta},{\overset{\overset{w_{0}}{}}{0^{w_{0}},}\overset{\overset{z_{0}}{}}{{\overset{\rightarrow}{\eta}}_{0},}}} \right)_{_{0}}},{{{for}\mspace{20mu} i} - 1},\cdots \mspace{14mu},L,{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mu_{i},{\theta_{i}\overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{}_{q}^{z}},{c_{i}:=\left( {\overset{\overset{2 + n}{}}{{\mu_{i}\left( {t,{- 1}} \right)},{{s_{i}{\overset{\rightarrow}{e}}_{1}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},}\overset{\overset{u}{}}{0^{u},}\overset{\overset{w}{}}{0^{w},}\overset{\overset{z}{}}{{\overset{\rightarrow}{\eta}}_{i}}} \right)_{}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{\mu_{i}\overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{}_{q}^{z}},{c_{i}:=\left( {\overset{\overset{2 + n}{}}{{\mu_{i}\left( {t,{- 1}} \right)},{s_{i}{\overset{\rightarrow}{v}}_{1}},}\overset{\overset{u}{}}{0^{u},}\overset{\overset{w}{}}{0^{w},}\overset{\overset{z}{}}{{\overset{\rightarrow}{\eta}}_{i}}} \right)_{}},{c_{d + 1}:={g_{T}^{\zeta}m}},{{{return}\mspace{14mu} {ct}_{}}:={\left( {,c_{0},c_{1},\cdots \mspace{14mu},c_{L},c_{d + 1}} \right).}}}} & \left\lbrack {{Formula}\mspace{14mu} 161} \right\rbrack\end{matrix}$

The function and operation of the decryption device 300 will bedescribed.

The decryption device 300 includes a decryption key acquisition unit310, a data receiving unit 320, a span program computation unit 330, acomplementary coefficient computation unit 340, a pairing operation unit350, and a message computation unit 360.

With reference to FIG. 15, the process of the Dec algorithm will bedescribed.

(S701: Decryption Key Acquisition Step)

Using the communication device and via the network, for example, thedecryption key acquisition unit 310 obtains the decryption key sk_(Γ)distributed by the key generation device 100. The decryption keyacquisition unit 310 also obtains the public parameter pk generated bythe key generation device 100.

(S702: Data Reception Step)

Using the communication device and via the network, for example, thedata receiving unit 320 receives the ciphertext ct_(S) transmitted bythe encryption device 200.

(S703: Span Program Computation Step)

Using the processing device, the span program computation unit 330checks whether or not the access structure S included in the ciphertextct_(S) obtained in (S702) accepts Γ included in the decryption keysk_(Γ) received in (S701). The method for checking whether or not theaccess structure S accepts Γ is the same as that described in “5.Concept for implementing functional encryption in Embodiment 1”.

If the access structure S accepts Γ (accept in S703), the span programcomputation unit 330 advances the process to (S704). If the accessstructure S rejects Γ (reject in S703), the span program computationunit 330 determines that the ciphertext ct_(S) cannot be decrypted withthe decryption key sk_(Γ) and ends the process.

(S704) through (S706) are substantially the same as (S404) through(S406) in Embodiment 2 shown in FIG. 12.

In brief, in (S701) through (S706), the encryption device 200 executesthe Dec algorithm indicated in Formula 162, and thus generates themessage m′ (=m).

$\begin{matrix}{{{{Dec}\left( {{pk},{{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma}} \right)},{{ct}_{}:=\left( {,c_{0},c_{1},\cdots \mspace{14mu},c_{L},c_{d + 1}} \right)}} \right)}\text{:}}\mspace{20mu} {{{{If}\mspace{14mu} }:={{\left( {M,\rho} \right)\mspace{14mu} {accepts}\mspace{14mu} \Gamma}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}},\mspace{20mu} {{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}}}{{\overset{\rightarrow}{1} = {\sum_{i \in I}{\alpha_{i}M_{i}}}},{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{11mu} \text{i-th}\mspace{20mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{and}}{{I \subseteq {\left\{ {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{i}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{i}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{i}} \right)} \in {{\bigwedge{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}}} \neq 0}}}} \right\rbrack} \right\}.K}}:={{{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} - {\overset{\rightarrow}{x}}_{t}} \right)}\mspace{20mu} {return}\mspace{14mu} m^{\prime}}}}}}:={c_{d + 1}/{K.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 162} \right\rbrack\end{matrix}$

As described above, as in the cryptographic system 10 according toEmbodiment 2, in the cryptographic system 10 according to Embodiment 3,the index parts are provided, so that the bases that are used for everyattribute category can be constructed as the common bases (basis B andbasis B*). As a result, only the basis B and the basis B* need to beincluded in a public parameter, eliminating the need for reissuing thepublic parameter when an attribute category is to be added at a laterstage.

As in Embodiment 2, for the index parts, it is required that 0 beobtained as a result of an inner-product operation of the index parts.Therefore, although the 2-dimensional index parts, namely the basisvectors b*₁ and b*₂ and the basis vectors b₁ and b₂, are employed in theabove description, the index parts are not limited to 2-dimensional andmay be 3-dimensional or higher-dimensional. The values assigned to theindex parts are not limited to those described above, and a differentassignment arrangement may be employed.

The functional encryption scheme has been described above. As indicatedin Formula 163 through Formula 167, however, the functional encryptionscheme can be modified into an attribute-based encryption scheme. Notethat N₀ is 1+1+1+1+1=5 and N₁ is 2+2+8+2+2=16 in Formula 163 throughFormula 167. That is, u₀=1, w₀=1, z₀=1, n=2, u=8, w=2, and z=2. Even inthis case, security can be proven.

$\begin{matrix}{{{{Setup}\left( 1^{\lambda} \right)}:\mspace{14mu} {\left( {{param},\left( {_{0},_{0}^{*}} \right),\left( {,^{*}} \right)} \right)\overset{R}{}{_{ob}\left( 1^{\lambda} \right)}}},\mspace{20mu} {{/{*N}} = {{16*{/\mspace{20mu} {\hat{}}_{0}}}:=\left( {b_{0,1},b_{0,3},b_{0,5}} \right)}},\mspace{20mu} {\hat{}:=\left( {b_{1},\cdots \mspace{14mu},b_{4},b_{15},b_{16}} \right)},\mspace{20mu} {{\hat{}}_{0}^{*}:=\left( {b_{0,1}^{*},b_{0,3}^{*},b_{0,4}^{*}} \right)},\mspace{20mu} {{\hat{}}^{*}:=\left( {b_{1}^{*},\cdots \mspace{14mu},b_{4}^{*},b_{13}^{*},b_{14}^{*}} \right)},\mspace{20mu} {{pk}:=\left( {1^{\lambda},{param},{\hat{}}_{0},\hat{}} \right)},{{sk}:=\left( {{\hat{}}_{0}^{*},{\hat{}}^{*}} \right)},\mspace{20mu} {{return}\mspace{14mu} {pk}},{{sk}.}} & \left\lbrack {{Formula}\mspace{14mu} 163} \right\rbrack \\{{{{_{ob}\left( 1^{\lambda} \right)}:\mspace{14mu} {param}_{}}:={\left( {q,,_{T},g,e} \right)\overset{R}{}{_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu} {\psi \overset{U}{}_{q}^{x}},\mspace{20mu} {N_{0}:=5},{N_{1}:=16},\mspace{20mu} {{{for}\mspace{14mu} t} = 0},1,} & \; \\{{{{param}_{_{t}}:={\left( {q,_{t},_{T},_{t},e} \right):={_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}}},\mspace{20mu} {X_{t}:={\left( \chi_{t,i,j} \right)_{i,{j = 1},\cdots \mspace{14mu},N_{t}}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}},\mspace{20mu} {X_{t}^{*}:={\left( \vartheta_{t,i,j} \right)_{i,{j = 1},\cdots \mspace{14mu},N_{t}}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},{hereafter},{\overset{\rightarrow}{\chi}}_{t,i}}\mspace{20mu} {{and}\mspace{14mu} {\overset{\rightarrow}{\vartheta}}_{t,i}\mspace{14mu} {denote}\mspace{14mu} {the}\mspace{14mu} \text{i-th}\mspace{14mu} {rows}\mspace{14mu} {of}\mspace{14mu} X_{t}\mspace{14mu} {and}}\mspace{14mu} \mspace{20mu} {{{X_{t}^{*}\mspace{14mu} {for}\mspace{14mu} i} = 1},\cdots \mspace{14mu},N_{t},{respectively},}} & \; \\{{b_{t,i}:={\left( {\overset{\rightarrow}{\chi}}_{t,i} \right)_{_{t}} = {{\underset{j = 1}{\sum\limits^{N_{t}}}\; {\chi_{t,i,j}a_{t,j}\mspace{14mu} {for}\mspace{14mu} i}} = 1}}},\cdots \mspace{14mu},N_{t},\mspace{20mu} {_{t}:=\left( {b_{t,1},\cdots \mspace{14mu},b_{t,N_{t}}} \right)},{b_{t,i}^{*}:={\left( {\overset{\rightarrow}{\vartheta}}_{t,i} \right)_{_{t}} = {{\sum\limits_{j = 1}^{N_{t}}\; {\vartheta_{t,i,j}a_{t,j}\mspace{14mu} {for}\mspace{14mu} i}} = 1}}},\cdots \mspace{14mu},N_{t},\mspace{20mu} {_{t}:=\left( {b_{t,1}^{*},\cdots \mspace{14mu},b_{t,N_{t}}^{*}} \right)},\mspace{20mu} {g_{T}:={e\left( {g,g} \right)}^{\psi}},{{param}:=\left( {\left\{ {param}_{V_{t}} \right\}_{{t = 0},1},g_{T}} \right)},\mspace{20mu} {{return}\mspace{14mu} {\left( {{param},,^{*}} \right).}}} & \; \\{\mspace{79mu} {{{{KeyGen}\left( {{pk},{sk},{\Gamma:=\left\{ {\left( {t,x_{t}} \right){1 \leq t \leq d}} \right\}}} \right)}\text{:}}\mspace{20mu} {\omega,{\phi_{0}\overset{U}{}_{q}},\mspace{20mu} {k_{0}^{*}:=\left( {\omega,0,1,\phi_{0},0} \right)_{_{0}^{*}}},\mspace{20mu} {{{for}\mspace{14mu} \left( {t,x_{t}} \right)} \in \Gamma},\sigma_{t},\phi_{t,1},\phi_{t,2},{\overset{U}{}_{q}},\mspace{20mu} {k_{t}^{*}:=\left( {\overset{\overset{4}{}}{{\sigma_{t}\left( {1,t} \right)},{\omega \left( {1,x_{t}} \right)},}\overset{\overset{8}{}}{0^{8},}\overset{\overset{2}{}}{\phi_{t,1},\phi_{t,2},}\overset{\overset{2}{}}{0^{2}}} \right)_{B^{*}}},\mspace{20mu} {{{return}\mspace{14mu} {sk}_{\Gamma}}:={\left( {\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,x_{t}})} \in \Gamma}} \right).}}}}} & \left\lbrack {{Formula}\mspace{20mu} 164} \right\rbrack \\\begin{matrix}{\mspace{79mu} {{{{Enc}\left( {{pk},m,{:=\left( {M,\rho} \right)}} \right)}:\mspace{79mu} {\overset{\rightarrow}{f}\overset{U}{}_{q}^{r}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu} {{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\cdots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\zeta,{\eta_{0}\overset{U}{}_{q}},}} \\{\mspace{79mu} {{c_{0}:=\left( {{- s_{0}},0,\zeta,0,\eta_{0}} \right)_{_{0}}},}}\end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 165} \right\rbrack \\{\mspace{20mu} {{{{for}\mspace{14mu} i} = 1},\cdots \mspace{14mu},L,\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = \left( {t,v_{i}} \right)},\mu_{i},\theta_{i},\eta_{i,1},{\eta_{i,2}\overset{U}{}_{q}},\mspace{20mu} {c_{i}:=\left( {\overset{\overset{4}{}}{{\mu_{i}\left( {t,{- 1}} \right)},{s_{i} + {\theta_{i}v_{i}}},{- \theta_{i}}}\overset{\overset{8}{}}{0^{8},}\overset{\overset{2}{}}{0^{2},}\overset{\overset{2}{}}{\eta_{i,1},\eta_{i,2}}} \right)_{}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,v_{i}} \right)}},\mu_{i},\eta_{i,1},{\eta_{i,2}\overset{U}{}_{q}},\mspace{20mu} {c_{i}:=\left( {\overset{\overset{4}{}}{{\mu_{i}\left( {t,{- 1}} \right)},{s_{i}\left( {v_{i},{- 1}} \right)},}\overset{\overset{8}{}}{0^{8},}\overset{\overset{2}{}}{0^{2},}\overset{\overset{2}{}}{\eta_{i,1},\eta_{i,2}}} \right)_{}},\mspace{20mu} {c_{d + 1}:={g_{T}^{\zeta}m}},\mspace{20mu} {{{return}\mspace{14mu} {ct}_{}}:={\left( {,c_{0},c_{1},\cdots \mspace{14mu},c_{L},c_{d + 1}} \right).}}}} & \; \\{{{{Dec}\left( {{pk},{{sk}_{\Gamma}:=\left( {\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,x_{t}})} \in \Gamma}} \right)},{{ct}_{}:=\left( {,c_{0},c_{1},\cdots \mspace{14mu},c_{L},c_{d + 1}} \right)}} \right)}\text{:}}\mspace{20mu} {{{{If}\mspace{14mu} }:={{\left( {M,\rho} \right)\mspace{14mu} {accepts}\mspace{14mu} \Gamma}:=\left\{ \left( {t,x_{t}} \right) \right\}}},\mspace{20mu} {{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}}}{{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}{\alpha_{i}M_{i}}}},{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} \text{i-th}{\mspace{11mu} \;}{row}\mspace{14mu} {of}\mspace{14mu} M},{and}}} & \left\lbrack {{Formula}\mspace{14mu} 166} \right\rbrack \\{{I \subseteq {\left\{ {{i \in \left\{ {1,\cdots \mspace{14mu},L} \right\}}{\left\lbrack {{\rho (i)} = {{{\left( {t,v_{i}} \right)\bigwedge\left( {t,x_{t}} \right)} \in {\Gamma\bigwedge v_{i}}} = x_{t}}} \right\rbrack\bigvee \left\lbrack {{\rho (i)} = {{{\left( {t,v_{i}} \right)\bigwedge\left( {t,x_{t}} \right)} \in {{\Gamma\bigwedge v_{i}} \neq x_{t}}}}} \right\rbrack}} \right\}.K}}:={{{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,v_{i}})}}\; {{e\left( {c_{i},k_{t}^{*}} \right)}\alpha_{i}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,v_{i}})}}}{{e\left( {c_{i},k_{t}^{*}} \right)}{\alpha_{i}/{\alpha_{i}\left( {v_{i} - x_{i}} \right)}}\mspace{20mu} {return}\mspace{14mu} m^{\prime}}}}}}:={c_{d + 1}/{K.}}}} & \;\end{matrix}$

In Embodiment 2, the KP-FE scheme has been described. In Embodiment 3,the CP-FE scheme has been described. As with these schemes, theunified-policy (UP-FE) scheme described in Non-Patent Literature 30 maybe constructed such that there is no need to reissue a public parameterwhen an attribute category is to be added.

Embodiment 4

Like Embodiments 2 and 3, this embodiment describes a narrowly-definedcryptographic processing scheme. In particular, this embodimentdescribes a hierarchical inner-product predicate encryption (HIPE)scheme.

The HIPE scheme is an inner-product predicate encryption scheme which iscapable of delegation. Delegation means that a user who has ahigher-level key generates a lower-level key having more limitedcapabilities than the user's (higher-level) key. The limitedcapabilities mean that the lower-level key can decrypt only some ofciphertexts that can be decrypted with the higher-level key. Asexplained in Embodiment 1, the inner-product predicate encryption schemecorresponds to a case where the design of the access structure in thefunctional encryption scheme is limited.

The HIPE scheme includes a first scheme which is efficient, and a secondscheme which is less efficient than the first scheme, but guaranteessecurity of even attribute information that is set in a ciphertext (seeNon-Patent Literature 29). Here, as an example of the second scheme, ascheme which allows for addition of an attribute category withoutreissuing a public parameter will be described. However, by makingsimilar modifications to the algorithms described in Non-PatentLiterature 29, the first scheme can also be constructed to allow foraddition of an attribute category without reissuing a public parameter.

First, the construction of the HIPE scheme will be described.

Second, the configuration of a cryptographic system 10 that implementsthe HIPE scheme will be described.

Third, the HIPE scheme will be described in detail.

<1. Construction of HIPE Scheme>

The HIPE scheme consists of five algorithms: Setup, KeyGen, Enc, Dec,and Delegate_(L).

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter 1^(λ), and outputs a master public key pk and amaster secret key sk. The master secret key sk is a top-level key.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input themaster public key pk, the master secret key sk, and predicateinformation ({right arrow over (v)}₁, . . . , {right arrow over(v)}_(L)) (1≦L≦d), and outputs an L-th-level secret key sk_(L).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input themaster public key pk, attribute information ({right arrow over (x)}₁, .. . , {right arrow over (x)}_(h)) (1≦h≦d), and a message m, and outputsa ciphertext ct.

(Dec)

A Dec algorithm is a probabilistic algorithm that takes as input themaster public key pk, the L-th-level secret key sk_(L), and theciphertext ct, and outputs the message m or a distinguished symbol ⊥.

(Delegate_(L))

Delegate_(L) is a probabilistic algorithm that takes as input the masterpublic key pk, the L-th-level secret key sk_(L), and (L+1)-th levelpredicate information {right arrow over (v)}_(L+1) (L+1≦d), and outputsan (L+1)-th-level secret key sk_(L+1). That is, the Delegate_(L)algorithm outputs a lower-level secret key.

<2. Configuration of Cryptographic System 10 that Implements HIPEScheme>

FIG. 20 is a configuration diagram of the cryptographic system 10 thatimplements the HIPE scheme according to Embodiment 4.

The cryptographic system 10 includes a key generation device 100, anencryption device 200, a decryption device 300, and a key delegationdevice 400. It is assumed in the following description that thedecryption device 300 includes the key delegation device 400. However,the key delegation device 400 may be provided separately from thedecryption device 300.

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ, and thus generates a master public key pkand a master secret key sk. Then, the key generation device 100publishes the generated master public key pk. The key generation device100 also executes the KeyGen algorithm taking as input the master publickey pk, the master secret key sk, and predicate information ({rightarrow over (v)}₁, . . . , {right arrow over (v)}_(L)) (1≦L≦d), and thusgenerates an L-th-level secret key sk_(L), and distributes theL-th-level secret key sk_(L) to the L-th level decryption device 300 insecrecy.

The encryption device 200 executes the Enc algorithm taking as input themaster public key pk, attribute information ({right arrow over (x)}₁, .. . , {right arrow over (x)}_(h)) (1≦h≦d), and a message m, and thusgenerates a ciphertext ct. The encryption device 200 transmits thegenerated ciphertext ct to the decryption device 300.

The decryption device 300 executes the Dec algorithm taking as input themaster public key pk, the L-th-level secret key sk_(L), and theciphertext ct, and outputs the message m or a distinguished symbol 1.

The key delegation device 400 executes the Delegate_(L) algorithm takingas input the master public key pk, the L-th-level secret key sk_(L), and(L+1)-th-level predicate information {right arrow over (v)}_(L+1)(L+1≦d), and thus generates an (L+1)-th-level secret key sk_(L+1), anddistributes the (L+1)-th-level secret key sk_(L+1) to the (L+1)-th-leveldecryption device 300 in secrecy.

<3. HIPE Scheme in Detail>

With reference to FIGS. 21 to 29, the HIPE scheme and the operation andfunction of the cryptographic system 10 that implements the HIPE schemeaccording to Embodiment 4 will be described.

FIG. 21 is a configuration diagram of the key generation device 100according to Embodiment 4. FIG. 22 is a configuration diagram of theencryption device 200 according to Embodiment 4. FIG. 23 is aconfiguration diagram of the decryption device 300 according toEmbodiment 4. FIG. 24 is a configuration diagram of the key delegationdevice 400 according to Embodiment 4.

FIGS. 25 and 26 show flowcharts illustrating the operation of the keygeneration device 100. FIG. 25 is a flowchart illustrating the processof the Setup algorithm. FIG. 26 is a flowchart illustrating the processof the KeyGen algorithm. FIG. 27 is a flowchart illustrating theoperation of the encryption device 200 and illustrating the process ofthe Enc algorithm. FIG. 28 is a flowchart illustrating the operation ofthe decryption device 300 and illustrating the process of the Decalgorithm. FIG. 29 is a flowchart illustrating the operation of the keydelegation device 400 and illustrating the process of the Delegate_(L)algorithm.

The function and operation of the key generation device 100 will bedescribed.

The key generation device 100 includes a master key generation unit 110,a master key storage unit 120, an information input unit 130, adecryption key generation unit 140, and a key distribution unit 150. Thedecryption key generation unit 140 includes a random number generationunit 143, a key element generation unit 144, a randomizing elementgeneration unit 145, and a delegation element generation unit 146.

With reference to FIG. 25, the process of the Setup algorithm will bedescribed.

S801 is substantially the same as (S101) in Embodiment 2 shown in FIG.9.

(S802: Public Parameter Generation Step)

Using the processing device, the master key generation unit 110generates a subbasis B

₀ of the basis B₀, a subbasis B

of the basis B, a subbasis B

_(0,pk) of the basis B*₀, and a subbasis B

*_(pk) of the basis B*, as indicated in Formula 167, the bases B₀, B

, B, and B*₀ having been generated in (S801).

₀:=(b _(0,1) ,b _(0,1+u) ₀ ₊₁ ,b _(0,1+u) ₀ _(+1+w) ₀ ₊₁ , . . . ,b_(0,1+u) ₀ _(+1+w) ₀ _(+z) ₀ ),

:=(b ₁ , . . . ,b _(2+n) ,b _(2+n+u+w+1) , . . . ,b _(2+n+u+w+z)),

*_(0,pk) =b* _(0,1+u) ₀ ₊₁₊₁ , . . . ,b _(0,1+u) ₀ _(+1+w) ₀ ,

*_(pk):=(b* ₁ ,b* ₂ ,b* _(2+n+u+1) , . . . ,b* _(2+n+u+w))  [Formula167]

The master key generation unit 110 generates a public parameter pk byputting together the generated subbasis B

₀, subbasis B

, subbasis B̂*_(0,pk), and subbasis B

*_(pk), the security parameter λ(1^(λ)) inputted in (S801), and paramgenerated in (S801).

(S803: Master Key Generation Step)

Using the processing device, the master key generation unit 110generates a subbasis B

*_(0,sk) of the basis B*₀ and a subbasis B

*_(sk) of the basis B*, as indicated in Formula 168, the bases B*₀ andB* having been generated in (S801).

*_(0,sk):=(b* _(0,1) ,b* _(0,1+u) ₀ ₊₁),

*_(sk)=(b* ₂₊₁ , . . . ,b* _(2+n))  [Formula 168]

The master key generation unit 110 generates a master key sk which isconstituted by the generated subbasis B

*₀ and subbasis B

*.

(S804: Master Key Storage Step)

The master key storage unit 120 stores the public parameter pk generatedin (S802) in the storage device. The master key storage unit 120 alsostores the master key sk generated in (S803) in the storage device.

In brief, in (S801) through (S803), the key generation device 100executes the Setup algorithm indicated in Formula 169, and thusgenerates the public parameter pk and the master key sk. In (S804), thekey generation device 100 stores the generated public parameter pk andmaster key sk in the storage device.

The public parameter is published via the network, for example, and ismade available for the encryption device 200 and the decryption device300.

$\begin{matrix}{{{{Setup}\left( 1^{\lambda} \right)}\text{:}\mspace{20mu} {\left( {{param},\left( {_{0},_{0}^{*}} \right),\left( {,^{*}} \right)} \right)\overset{R}{}{_{ob}\left( 1^{\lambda} \right)}}},{{\hat{}}_{0}:=\left( {b_{0,1},b_{0,{1 + u_{0} + 1}},b_{0,{1 + u_{0} + 1 + w_{0} + 1}},\cdots \mspace{14mu},b_{0,{1 + u_{0} + 1 + w_{0} + z_{0}}}} \right)},{\hat{}:=\left( {b_{1},\cdots \mspace{14mu},b_{2 + n},b_{2 + n + u + w + 1},\cdots \mspace{14mu},b_{2 + n + u + w + z}} \right)},\mspace{20mu} {{\hat{}}_{0,{p\; k}}^{*}:=b_{0,{1 + u_{0} + 1 + 1}}^{*}},\cdots \mspace{14mu},b_{0,{1 + u_{0} + 1 + w_{0}}},\mspace{20mu} {{\hat{}}_{0,{sk}}^{*}:=\left( {b_{0,1}^{*},b_{0,{1 + u_{0} + 1}}^{*}} \right)},\mspace{20mu} {{\hat{}}_{p\; k}^{*}:=\left( {b_{1}^{*},b_{2}^{*},b_{2 + n + u + 1}^{*},\cdots \mspace{14mu},b_{2 + n + u + w}^{*}} \right)},\mspace{20mu} {{\hat{}}_{sk}^{*}:=\left( {b_{2 + 1}^{*},\cdots \mspace{14mu},b_{2 + n}^{*}} \right)},\mspace{20mu} {{{return}\mspace{14mu} {pk}}:=\left( {1^{\lambda},{param},{\hat{}}_{0},\hat{},{\hat{}}_{0,{pk}}^{*},{\hat{}}_{pk}^{*}} \right)},\mspace{20mu} {{sk}:={\left( {{\hat{}}_{0,{sk}}^{*},{\hat{}}_{sk}^{*}} \right).}}} & \; & \left\lbrack {{Formula}\mspace{14mu} 169} \right\rbrack\end{matrix}$

With reference to FIG. 26, the process of the KeyGen algorithm to beexecuted by the key generation device 100 will be described.

(S901: Information Input Step)

Using the input device, the information input unit 130 takes as inputpredicate information ({right arrow over (v)}₁, . . . , {right arrowover (v)}_(L)). Note that {right arrow over (v)}_(i):=v_(i,1), . . . ,v_(i,n) for each integer i=1, . . . , L. Note that the attribute of theuser of the key is input as the predicate information.

(S902: Random Number Generation Step)

Using the processing device, the random number generation unit 143generates random numbers, as indicated in Formula 170.

$\begin{matrix}{{{{{for}\mspace{14mu} j} = 1},\cdots \mspace{14mu},{{2L};{\tau = {L + 1}}},\cdots \mspace{14mu},{d;{i = 1}},\cdots \mspace{14mu},{n;}}\mspace{20mu} {\psi,\mu_{{dec},t},\mu_{{ran},1,j,t},s_{{dec},t},s_{{ran},1,j,t},\mspace{20mu} \theta_{{dec},t},{{{\theta_{{ran},1,j,t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},L,\mspace{20mu} \mu_{{del},{({\tau,\iota})},t},\mu_{{ran},2,\tau,\iota},s_{{del},{({\tau,\iota})},t},s_{{ran},2,\tau,\iota},\theta_{{del},{({\tau,\iota})},t},{{{\theta_{{ran},2,\tau,t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},{L + 1},\mspace{20mu} {{\overset{->}{\eta}}_{{dec},0}:=\eta_{{dec},0,1}},\cdots \mspace{14mu},\eta_{{dec},0,w_{0}},\mspace{20mu} {{\overset{->}{\eta}}_{{ran},1,j,0}:=\eta_{{ran},1,j,0,1}},\cdots \mspace{14mu},\eta_{{ran},1,j,0,w_{0}},\mspace{20mu} {{\overset{->}{\eta}}_{{del},{({\tau,\iota})},0}:=\eta_{{del},{({\tau,\iota})},0,1}},\cdots \mspace{14mu},\eta_{{del},{({\tau,\iota})},0,w_{0}},{{\overset{->}{\eta}}_{{ran},2,\tau,0}:=\eta_{{ran},2,\tau,0,1}},\cdots \mspace{14mu},{\eta_{{ran},2,\tau,0,w_{0}}\overset{U}{}_{q}^{w_{0}}},\mspace{20mu} {{\overset{->}{\eta}}_{{dec},t}:=\eta_{{dec},t,1}},\cdots \mspace{14mu},\eta_{{dec},t,w},{{\overset{->}{\eta}}_{{ran},1,j,t}:=\eta_{{ran},1,j,t,1}},\cdots \mspace{14mu},{{{\eta_{{ran},1,j,t,w}\overset{U}{}_{q}^{w}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots,L,\mspace{20mu} {{\overset{->}{\eta}}_{{del},{({\tau,\iota})},t}:=\eta_{{del},{({\tau,\iota})},t,1}},\cdots \mspace{14mu},\eta_{{del},{({\tau,\iota})},t,w},{{\overset{->}{\eta}}_{{ran},2,\tau,\iota}:=\eta_{{ran},2,\tau,t,1}},\cdots \mspace{20mu},\mspace{11mu} {{{\eta_{{ran},2,\tau,t,w}\overset{U}{}_{q}^{w}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},{L + 1}}} & \left\lbrack {{Formula}\mspace{14mu} 170} \right\rbrack\end{matrix}$

The random number generation unit 143 also sets s_(dec,0),s_(ran,1,j,0), s_(ran,2,τ,0), and s_(del,(τ,ι),0), as indicated inFormula 171.

s _(dec,0):=Σ_(t=1) ^(L) s _(dec,t),

s _(ran,1,j,0):=Σ_(t=1) ^(L) s _(ran,1,j,t),

s _(ran,2,τ,0):=Σ_(t=1) ^(L+1) s _(ran,2,τ,t),

s _(del,(τ,ι),0):=Σ_(t=1) ^(L+1) s _(del,(τ,ι),t),  [Formula 171]

(S903: Key Element Generation Step)

Using the processing device, the key element generation unit 144generates a key element k*_(L,dec) which is an element of the decryptionkey sk_(L), as indicated in Formula 172.

k* _(L,dec):=((−s _(dec,0),0^(u) ⁰ ,1,{right arrow over(η)}_(dec,0),0^(z) ⁰ )

_(*) ₀ ),

(μ_(dec,t)(t,−1),s _(dec,t) {right arrow over (e)} ₁+θ_(dec,t) {rightarrow over (v)} _(t),0^(u),{right arrow over (η)}_(dec,t),0^(z))

_(*)

:t=1, . . . ,L)  [Formula 172]

(S904: First Randomizing Element Generation Step)

Using the processing device, the randomizing element generation unit 145generates a first randomizing element k*_(L,ran,1,j) which is an elementof the decryption key sk_(L), for each integer j=1, . . . , 2L, asindicated in Formula 173.

k* _(L,ran,1,j):=((−s _(ran,1,j,0),0^(u) ₀,0,{right arrow over(η)}_(ran,1,j,0),0^(z) ⁰ )

_(*) ₀ ,

(μ_(ran,1,j,t)(t,−1),s _(ran,1,j,t) {right arrow over (e)}₁+θ_(ran,1,j,t) {right arrow over (v)} _(t),0^(u),

{right arrow over (η)}_(ran,1,j,t),0^(z))

_(*) :t=1, . . . ,L)  [Formula 173]

(S905: Second Randomizing Element Generation Step)

Using the processing device, the randomizing element generation unit 145generates a second randomizing element k*_(L,ran,2,τ) which is anelement of the decryption key sk_(L), for each integer τ=L+1, . . . , d,as indicated in Formula 174.

k* _(L,ran,2,τ):=((−s _(ran,2,τ,0),0^(u) ⁰ ,0,{right arrow over(η)}_(ran,2,τ,0),0^(z) ⁰ )

_(*) ₀ ,

(μ_(ran,2,τ,t)(t,−1),s _(ran,2,τ,t) {right arrow over (e)}₁+θ_(ran,2,τ,t) {right arrow over (v)} _(t),0^(u),

{right arrow over (η)}_(ran,2,τ,t),0^(z))

_(*) :t=1, . . . ,L,

(μ_(ran,2,τ,L+1)(τ,−1),s _(ran,2,τ,L+1) {right arrow over (e)}₁,0^(u),{right arrow over (η)}_(ran,2,τ,L+1),0^(z))

_(*))  [Formula 174]

(S906: Delegation Element Generation Step)

Using the processing device, the delegation element generation unit 146generates a delegation element k*_(L,del,(τ,ι)) which is an element ofthe decryption key sk_(L), for each integer τ=L+1, . . . , d, and eachinteger ι=1, 2 with respect to each integer τ, as indicated in Formula175.

k* _(L,del,(τ,ι)):=((−s _(del,(τ,ι),0),0^(u) ⁰ ,0,{right arrow over(η)}_(del,(τ,ι),0),0^(z) ⁰ )

_(*) ₀ ,

(μ_(del,(τ,ι),t)(t,−1),s _(del,(τ,ι),t) {right arrow over (e)}₁+θ_(del,(τ,ι),t) {right arrow over (v)} _(t),0^(u),

{right arrow over (η)}_(del,(τ,ι),t),0^(z))

_(*) :t=1, . . . ,L,

(μ_(del,(τ,ι),L+1)(τ,−1),s _(del,(τ,ι),L+1) {right arrow over (e)} ₁+ψ{right arrow over (e)} _(t),0^(u),

{right arrow over (η)}_(del,(τ,2),L+1),0^(z))

_(*))  [Formula 175]

(S907: Key Distribution Step)

Using the communication device and via the network, for example, the keydistribution unit 150 distributes the decryption key sk_(L) having, aselements, the key element k*_(L,dec), the first randomizing elementk*_(L,ran,1,j), the second randomizing element k*_(L,ran,2,τ), and thedelegation element k*_(L,del,(τ,ι)) to the decryption device 300 insecrecy. As a matter of course, the decryption key sk_(L) may bedistributed to the decryption device 300 by another method.

In brief, in (S901) through (S906), the key generation device 100executes the KeyGen algorithm indicated in Formula 176 and Formula 177,and thus generates the decryption key sk_(L). In (S907), the keygeneration device 100 distributes the generated decryption key sk_(L) tothe decryption device 300.

$\begin{matrix}{\mspace{79mu} {{{{KeyGen}\left( {{pk},{sk},{\left( {{{\overset{\rightarrow}{v}}_{1,}\cdots},{\overset{\rightarrow}{v}}_{L}} \right) \in {{_{q}^{n}\cdots} \times _{q}^{n}}}} \right)}\text{:}}{{{{for}\mspace{14mu} j} = 1},\cdots \mspace{14mu},{{2L};{\tau = {L + 1}}},\cdots \mspace{14mu},{d;{t = 1}},\cdots \mspace{14mu},{n;}}\mspace{20mu} {\psi,\mu_{{dec},t},\mu_{{ran},1,j,t},s_{{dec},t},s_{{ran},1,j,t},\mspace{20mu} \theta_{{dec},t},{{{\theta_{{ran},1,j,t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},L,\mspace{20mu} \mu_{{del},{({\tau,\iota})},t},\mu_{{ran},2,\tau,t},s_{{del},{({\tau,\iota})},t},s_{{ran},2,\tau,t},\mspace{20mu} \theta_{{del},{({\tau,\iota})},t},{{{\theta_{{ran},2,\tau,t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},{L + 1},}}} & \left\lbrack {{Formula}\mspace{14mu} 176} \right\rbrack \\{\mspace{20mu} {{s_{{dec},0}:={\sum\limits_{t = 1}^{L}\; s_{{dec},t}}},{s_{{del},{({\tau,\iota})},0}:={\sum\limits_{t = 1}^{L + 1}\; s_{{del},{({\tau,\iota})},t}}},\mspace{20mu} {s_{{ran},1,j,0}:={\sum\limits_{t = 1}^{L}\; s_{{ran},1,j,t}}},{s_{{ran},2,\tau,0}:={\sum\limits_{t = 1}^{L + 1}\; s_{{ran},2,\tau,\iota}}},\mspace{20mu} {\overset{\rightarrow}{\eta}}_{{dec},0},{\overset{\rightarrow}{\eta}}_{{ran},1,j,0},{\overset{\rightarrow}{\eta}}_{{del},{({\tau,\iota})},0},{{\overset{\rightarrow}{\eta}}_{{ran},2,\tau,0}\overset{U}{}_{q}^{w_{0}}},\mspace{20mu} {\overset{\rightarrow}{\eta}}_{{dec},t},{{{{\overset{\rightarrow}{\eta}}_{{ran},1,j,t}\overset{U}{}_{q}^{w}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},L,\mspace{20mu} {\overset{\rightarrow}{\eta}}_{{del},{({\tau,\iota})},t},{{{{\overset{\rightarrow}{\eta}}_{{ran},2,\tau,t}\overset{U}{}_{q}^{w}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},{L + 1},}} & \; \\{\left. {{k_{L,{dec}}^{*}:={{\left( {\left( {{- s_{{dec},0}},0^{u_{0}},1,{\overset{\rightarrow}{\eta}}_{{dec},0},0^{z_{0}}} \right)_{_{0}^{*}},{\left( {{\mu_{{dec},t}\left( {t,{- 1}} \right)},{{s_{{dec},t}{\overset{\rightarrow}{e}}_{1}} + {\theta_{{dec},t}{\overset{\rightarrow}{v}}_{t}}},0^{u},{\overset{\rightarrow}{\eta}}_{{dec},t},0^{z}} \right)_{B^{*}}\text{:}}}\mspace{11mu}\quad \right.\; t} = 1}},\cdots \mspace{14mu},L} \right),} & \left\lbrack {{Formula}\mspace{14mu} 177} \right\rbrack \\{k_{L,{del},{({\tau,\iota})}}^{*}:=\left( {\left( {{- s_{{del},{({\tau,\iota})},0}},0^{u_{0}},0,{\overset{\rightarrow}{\eta}}_{{del},{({\tau,\iota})},0},0^{z_{0}}} \right)_{_{0}^{*}},\left( {{\mu_{{del},{({\tau,\iota})},t}\left( {t,{- 1}} \right)},{{s_{{del},{({\tau,\iota})},t}{\overset{\rightarrow}{e}}_{1}} + {\theta_{{del},{({\tau,\iota})},t}{\overset{\rightarrow}{v}}_{t}}},0^{u},{{\left. \quad{{\overset{\rightarrow}{\eta}}_{{del},{({\tau,\iota})},t},0^{z}} \right)_{B^{*}}:t} = 1},\cdots \mspace{14mu},L,{{\left( {{\mu_{{del},{({\tau,\iota})},{L + 1}}\left( {\tau,{- 1}} \right)},{{s_{{del},{({\tau,1})},{L + 1}}{\overset{\rightarrow}{e}}_{1}} + {\psi {\overset{\rightarrow}{e}}_{\iota}}},0^{u},{\overset{\rightarrow}{\eta}}_{{del},{({\tau,2})},{L + 1}},\left. \quad 0^{z} \right)_{^{*}}} \right)k_{L,{ran},1,j}^{*}}:=\left( {\left( {{- s_{{ran},1,j,0}},0^{u_{0}},0,{\overset{\rightarrow}{\eta}}_{{ran},1,j,0},0^{z_{0}}} \right)_{_{0}^{*}},\left( {{\mu_{{ran},1,j,t}\left( {t,{- 1}} \right)},{{s_{{ran},1,j,t}{\overset{\rightarrow}{e}}_{1}} + {\theta_{{ran},1,j,t}{\overset{\rightarrow}{v}}_{t}}},0^{u},{\overset{\rightarrow}{\eta}}_{{ran},1,j,t},{{\left. \quad 0^{z} \right)_{^{*}}:t} = 1},\cdots \mspace{14mu},L} \right),} \right.}} \right.} \right.} & \; \\{k_{L,{ran},2,\tau}^{*}:=\left( {\left( {{- s_{{ran},2,\tau,0}},0^{u_{0}},0,{\overset{\rightarrow}{\eta}}_{{ran},2,\tau,0},0^{z_{0}}} \right)_{_{0}^{*}},\left( {{\mu_{{ran},2,\tau,t}\left( {t,{- 1}} \right)},{{s_{{ran},2,\tau,\iota}{\overset{\rightarrow}{e}}_{1}} + {\theta_{{ran},2,\tau,\iota}{\overset{\rightarrow}{v}}_{t}}},0^{u},{\overset{\rightarrow}{\eta}}_{{ran},2,\tau,\iota},{{\left. \quad 0^{z} \right)_{^{*}}:t} = 1},\cdots \mspace{14mu},L,\left( {{\mu_{{ran},2,\tau,{L + 1}}\left( {\tau,{- 1}} \right)},{s_{{ran},2,\tau,{L + 1}}{\overset{\rightarrow}{e}}_{1}},0^{u},{\overset{\rightarrow}{\eta}}_{{ran},2,\tau,{L + 1}},0^{z}} \right)_{B^{*}}} \right),\mspace{20mu} {{sk}_{L}:={k_{L,{dec},}^{*}\left\{ k_{L,{del},{({\tau,\iota})}}^{*} \right\}_{{\tau = {L + 1}},\; \cdots \mspace{14mu},{d;{\iota = 1}},2}}},\mspace{20mu} \left\{ {k_{L,{ran},1,j}^{*},k_{L,{ran},2,\iota}^{*}} \right\}_{{{j = 1},\; \cdots \mspace{14mu},{{2L};{\tau = {L + 1}}},\; \cdots \mspace{14mu},d})},\mspace{20mu} {{return}\mspace{14mu} {{sk}_{L}.}}} \right.} & \;\end{matrix}$

The function and operation of the encryption device 200 will bedescribed.

The encryption device 200 includes a public parameter acquisition unit210, an information input unit 220, a cipher data generation unit 230,and a data transmission unit 240. The cipher data generation unit 230includes a random number generation unit 231 and a cipher elementgeneration unit 232.

With reference to FIG. 27, the process of the Enc algorithm to beexecuted by the encryption device 200 will be described.

(S1001: Master Public Key Acquisition Step)

Using the communication device and via the network, for example, thepublic parameter acquisition unit 210 obtains the master public key pkgenerated by the key generation device 100.

(S1002: Information Input Step)

Using the input device, the information input unit 220 takes as inputattribute information ({right arrow over (x)}₁, . . . , {right arrowover (x)}_(L)), where {right arrow over (x)}_(i):=x_(i,1), . . . ,x_(i,L) for each integer i=1, . . . , L. Note that the attribute of aperson capable of decrypting an encrypted message is input as theattribute information.

Using the input device, the information input unit 220 also takes asinput a message m to be encrypted.

(S1003: Random Number Generation Step)

Using the processing device, the random number generation unit 231generates random numbers, as indicated in Formula 178.

$\begin{matrix}{\mspace{79mu} {\omega,{\zeta \overset{U}{}_{q}},{{\overset{\rightarrow}{\phi}}_{0}:=\phi_{0,1}},\cdots \mspace{14mu},{\phi_{0,z_{0}}\overset{U}{}_{q}^{z_{0}}},{{\overset{\rightarrow}{\phi}}_{t}:=\phi_{t,1}},\cdots \mspace{14mu},{\phi_{t,z}\overset{U}{}_{q}^{z}},{{{\sigma_{t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},L}} & \left\lbrack {{Formula}\mspace{14mu} 178} \right\rbrack\end{matrix}$

(S1004: Cipher Element c1 Generation Step)

Using the processing device, the cipher element generation unit 232generates a cipher element c₁ which is an element of a ciphertext ct, asindicated in Formula 179.

c ₁:=((ω,0^(u) ⁰ ,ζ,0^(w) ⁰ ,{right arrow over (φ)}₀)

₀ ,(σ_(t)(1,t),ω{right arrow over (x)} _(t),0^(u),0^(w),{right arrowover (φ)}_(t))

:t=1, . . . ,L)  [Formula 179]

(S1005: Cipher Element c2 Generation Step)

Using the processing device, the cipher element generation unit 232generates a cipher element c₂ which is an element of the ciphertext ct,as indicated in Formula 180.

c ₂ :=g _(T) ^(ζ) m−  [Formula 180]

(S1006: Data Transmission Step)

Using the communication device and via the network, for example, thedata transmission unit 240 transmits the ciphertext ct including thecipher element c₁ and the cipher element c₂ to the decryption device300. As a matter of course, the ciphertext ct may be transmitted to thedecryption device 300 by another method.

In brief, in (S1001) through (S1005), the encryption device 200 executesthe Enc algorithm indicated in Formula 181, and thus generates theciphertext ct. In (S1006), the encryption device 200 transmits thegenerated ciphertext ct to the decryption device 300.

$\begin{matrix}{\mspace{79mu} {{{{Enc}\left( {{pk},{m \in _{T}},{\left( {{\overset{\rightarrow}{x}}_{1},\cdots \mspace{14mu},{\overset{\rightarrow}{x}}_{L}} \right) \in {_{q}^{n} \times \cdots \times _{q}^{n}}}} \right)}\text{:}}\mspace{79mu} {\omega,{\zeta \overset{U}{}_{q}},{{\overset{\rightarrow}{\phi}}_{0}\overset{U}{}_{q}^{z_{0}}},\mspace{20mu} {{{for}\mspace{14mu} t} = 1},\cdots \mspace{14mu},L,\mspace{20mu} {{\overset{\rightarrow}{\phi}}_{t}\overset{U}{}_{q}^{z}},{\sigma_{t}\overset{U}{}_{q}},{c_{1}:=\left( {\left( {\omega,0^{u_{0}},\zeta,0^{w_{0}},{\overset{\rightarrow}{\phi}}_{0}} \right)_{_{0}},{{\left( {{\sigma_{t}\left( {1,t} \right)},{\omega \; {\overset{\rightarrow}{x}}_{t}},0^{u},0^{w},{\overset{\rightarrow}{\phi}}_{t}} \right)_{}\text{:}\mspace{14mu} t} = 1},\cdots \mspace{14mu},L} \right)},\mspace{20mu} {c_{2}:={g_{T}^{\zeta}m}},{{ct}:=\left( {c_{1},c_{2}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{ct}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack\end{matrix}$

The function and operation of the decryption device 300 will bedescribed.

The decryption device 300 includes a decryption key acquisition unit310, a data receiving unit 320, a pairing operation unit 350, and amessage computation unit 360.

With reference to FIG. 28, the process of the Dec algorithm to beexecuted by the decryption device 300 will be described.

(S1101: Decryption Key Acquisition Step)

Using the communication device and via the network, for example, thedecryption key acquisition unit 310 obtains the decryption key sk_(L).The decryption key acquisition unit 310 also obtains the publicparameter pk generated by the key generation device 100.

(S1102: Data Reception Step)

Using the communication device and via the network, for example, thedata receiving unit 320 receives the ciphertext ct transmitted by theencryption device 200.

(S1103: Pairing Operation Step)

Using the processing device, the pairing operation unit 350 performs apairing operation indicated in Formula 182, and thus computes a sessionkey K=g_(T) ^(ζ).

e(c ₁ ,k* _(L,dec))  [Formula 182]

(S1104: Message Computation Step)

Using the processing device, the message computation unit 360 computes amessage m′ (=m) by dividing the cipher element c2 by the session key K.

In brief, in (S1101) through (S1104), the decryption device 300 executesthe Dec algorithm indicated in Formula 183, and thus computes themessage m′ (=m).

Dec(pk,k* _(L,dec) ,ct):

m′:=c ₂ /e(c ₁ ,k* _(L,dec)),

return m′.  [Formula 183]

The function and operation of the key delegation device 400 will bedescribed.

The key delegation device 400 includes a decryption key acquisition unit410, an information input unit 420, a delegation key generation unit430, and a key distribution unit 440. The delegation key generation unit430 includes a random number generation unit 431, a lower-level keyelement generation unit 432, a lower-level randomizing elementgeneration unit 433, and a lower-level delegation element generationunit 434.

With reference to FIG. 29, the process of the Delegate_(L) algorithm tobe executed by the key delegation device 400 will be described.

(S1201: Decryption Key Acquisition Step)

Using the communication device and via the network, for example, thedecryption key acquisition unit 410 obtains the decryption key sk_(L).The decryption key acquisition unit 410 also obtains the publicparameter pk generated by the key generation device 100.

(S1202: Information Input Step)

Using the input device, the information input unit 420 takes as inputpredicate information {right arrow over (v)}_(L+1):=(v_(L+1,i) (i=1, . .. , n_(L+1))). Note that the attribute of a person to whom the key is tobe delegated is input as the predicate information.

(S1203: Random Number Generation Step)

Using the processing device, the random number generation unit 431generates random numbers, as indicated in Formula 184.

 for    j ′ = 1 , …  , 2  ( L + 1 ) ;    τ = L + 2 , …  , d ;ι = 1 , …  , n ;    μ del , ( τ , ι ) ′ , μ ran , 2 , τ ′ , φ del ,( τ , ι ) , φ ran , 2 , τ , ψ ′   U  q ,  p dec * , p del , ( τ , ι) * , p ran , 1 , j ′ * , p ran , 2 , τ *   R  CoreDel L  ( pk , skL , v L + 1 ) ,   where    CoreDel L  ( pk , sk L , v L + 1 )  :   μ t ′ , ξ , α j   U  q    for    t = 1 , …  , L + 1 ;   j = 1 , …  , 2  L + 1 ,   return   p * := ∑ t = 1 L + 1  μ t′  ( tb 1 * - b 2 * ) 〈 t 〉 + ξ  ( ∑ i = 1 n  v L + 1 , k L * , del ( L + 1 , i ) ) + ∑ j = 1 2  L  α j  k L , ran , 1 , j * + α 2 L + 1  k L , ran , 2 , L + 1 * ,  r dec * , r ran , 1 , j ′ *   U span  〈 ( b 0 , 1 + u 0 + 1 + 1 * , …  , b 0 , 1 + u 0 + 1 + w 0 * )〈 0 〉 , { ( b 2 + n + u + 1 * , …  , b 2 + n + u + w * ) 〈 t 〉 } t = 1 , …  , L + 1 〉 ,  r del , ( τ , ι ) * , r ran , 2 , τ *   U span  〈 ( b 0 , 1 + u 0 + 1 + 1 * , …  , b 0 , 1 + u 0 + 1 + w 0 * 〈0 〉 , { ( b 2 + n + u + 1 * , …  , b 2 + n + u + w * ) 〈 t 〉 }  t =1 , …  , L + 1 〉 , [ Formula   184 ]

(S1204: Lower-Level Key Element Generation Step)

Using the processing device, the lower-level key element generation unit432 generates a lower-level key element k*_(L+1,dec) which is an elementof a delegation key sk_(L+1), as indicated in Formula 185.

k* _(L+1,dec) :=k* _(L,dec) +p* _(dec) +r* _(dec)  [Formula 185]

(S1205: First Lower-Level Randomizing Element Generation Step)

Using the processing device, the lower-level randomizing elementgeneration unit 433 generates a first lower-level randomizing elementk*_(L+1,ran,1,j′) which is an element of the delegation key sk_(L+1),for each integer j′=1, . . . , 2(L+1), as indicated in Formula 186.

k* _(L+1,ran,1,j′) :=p* _(ran,1,j′) +r* _(ran,1,j′)  [Formula 186]

(S1206: Second Lower-Level Randomizing Element Generation Step)

Using the processing device, the lower-level randomizing elementgeneration unit 433 generates a second lower-level randomizing elementk*_(L+1,ran,2,τ) which is an element of the delegation key sk_(L+1), foreach integer τ=L+2, . . . , d, as indicated in Formula 187.

k* _(L+1,ran,2,τ) :=p* _(ran,2,τ)+μ′_(ran,2,τ)(τb* ₁ −b* ₂)^((τ))

+φ_(ran,2,τ) k* _(L,ran,2,τ) +r* _(ran,2,τ)  [Formula 187]

(S1207: Lower-Level Delegation Element Generation Step)

Using the processing device, the lower-level delegation elementgeneration unit 434 generates a lower-level delegation elementk*_(L+1,del,(τ,ι)) which is an element of the delegation key sk_(L+1),for each integer τ=L+2, . . . , d and each integer ι=1, . . . , n withrespect to each integer z, as indicated in Formula 188.

k* _(L+1,del(τ,ι)) :=p* _(del(τ,ι))+μ′_(del(τ,ι))(τb* ₁ −b* ₂)^((τ))

+φ_(del,(τ,ι)) k* _(L,ran,2,τ)+ψ′k*_(L,del(τ,ι)) +r*_(del(τ,ι))  [Formula 188]

(S1208: Key Distribution Step)

Using the communication device and via the network, for example, the keydistribution unit 150 distributes the delegation key sk_(L+1)(lower-level decryption key) having, as elements, the lower-level keyelement k*_(L+1,dec), the first lower-level randomizing elementk*_(L+1,ran,1,j′), the second lower-level randomizing elementk*_(L+1,ran,2,τ), and the lower-level delegation elementk*_(L+1,del,(τ,ι)) to the lower-level decryption device 300 in secrecy.As a matter of course, the delegation key sk_(L+1) may be distributed tothe lower-level decryption device 300 by another method.

In brief, in (S1201) through (S1207), the key delegation device 400executes the Delegate_(L) algorithm indicated in Formula 189, and thusgenerates the delegation key sk_(L+1). In (S1208), the key delegationdevice 400 distributes the generated delegation key sk_(L+1) to thelower-level decryption device 300.

 Delegate L  ( pk , sk L , v → L + 1 )  :    for    j ′ = 1 , … , 2  ( L + 1 ) ;    τ = L + 2 , …  , d ; ι = 1 , …  , n ;   μ del , ( τ , ι ) ′ , μ ran , 2 , τ ′ , φ del , ( τ , ι ) , φ ran , 2 ,τ , ψ ′   U  q ,  p dec * , p del , ( τ , ι ) * , p ran , 1 , j ′ *, p ran , 2 , τ *   R  CoreDel L  ( pk , sk L , v L + 1 ) ,  where    CoreDel L  ( pk , sk L , v L + 1 )  :    μ t ′ , ξ , αj   U  q    for    t = 1 , …  , L + 1 ;    j = 1 , …  , 2 L + 1 ,   return   p * := ∑ t = 1 L + 1  μ t ′  ( tb 1 * - b 2 *) 〈 t 〉 + ξ  ( ∑ i = 1 n  v L + 1 , k L , del  ( L + 1 , i ) * ) +∑ j = 1 2  L  α j  k L , ran , 1 , j * + α 2  L + 1  k L , ran , 2, L + 1 * ,  r dec * , r ran , 1 , j ′ *   U  span  〈 ( b 0 , 1 +u 0 + 1 + 1 * , …  , b 0 , 1 + u 0 + 1 + w 0 * ) 〈 0 〉 , { ( b 2 +n + u + 1 * , …  , b 2 + n + u + w * ) 〈 t 〉 } t = 1 , …  , L + 1 〉,  r del , ( τ , ι ) * , r ran , 2 , τ *   U  span  〈 ( b 0 , 1 +u 0 + 1 + 1 * , …  , b 0 , 1 + u 0 + 1 + w 0 * ) 〈 0 〉 , { ( b 2 +n + u + 1 * , …  , b 2 + n + u + w * ) 〈 t 〉 } t = 1 , …  , L + 1 ,τ 〉 ,   k L + 1 , dec * := k L , dec * + p dec * + r dec * ,  k L +1 , dec  ( τ , ι ) * := p del  ( τ , ι ) * + μ del  ( τ , ι ) *  ( τ  b 1 * - b 2 * ) ( τ ) + φ del , ( τ , ι )  k L , ran , 2 , τ * + ψ′  k L , del  ( τ , ι ) * + r del  ( τ , ι ) * ,   k L + 1 , ran ,1  j ′ * := p ran , 1 , j ′ * + r ran , 1 , j ′ * ,  k L + 1 , ran , 2, τ * := p ran , 2 , τ * + μ ran , 2 , τ *  ( τ   b 1 * - b 2 * ) ( τ) + φ ran , 2 , τ  k L , ran , 2 , τ * + r ran , 2 , τ * ,  sk L + 1:= ( k L + 1 , dec * , { k L + 1 , del  ( τ , ι ) * } τ = L + 2 , …  ,d ; ι = 1 , 2 , { k L , ran , 1 , j ′ * , k L , ran , 2 , τ * } j ′ = 1, …  , 2  ( L + 1 ) ; τ = L + 2 , …  , d ) ,   return    sk L +1 . [ Formula   189 ]

As described above, as in the cryptographic systems 10 according toEmbodiments 2 and 3, in the cryptographic system 10 according toEmbodiment 4, the index parts are provided, so that the bases that areused for every attribute category can be constructed as the common bases(basis B and basis B*). As a result, only the basis B and the basis B*need to be included in a public parameter, eliminating the need forreissuing the public parameter when an attribute category is to be addedat a later stage.

As in Embodiments 2 and 3, for the index parts, it is required that 0 beobtained as a result of an inner-product operation of the index parts.Therefore, although the 2-dimensional index parts, namely the basisvectors b*₁ and b*₂ and the basis vectors b₁ and b₂, are employed in theabove description, the index parts are not limited to 2-dimensional andmay be 3-dimensional or higher-dimensional. The values assigned to theindex parts are not limited to those described above, and a differentassignment arrangement may be employed.

The HIPE scheme based on the functional encryption scheme has beendescribed above. As indicated in Formula 190 through Formula 195,however, the scheme can be modified into an HIPE scheme based on theattribute-based encryption scheme. Note that N₀ is 1+1+1+1+1=5, and N₁is 2+2+8+2+2=16 in Formula 190 through Formula 195. That is, u₀=1, w₀=1,z₀=1, n=2, u=8, w=2, and z=2. Even in this case, security can be proven.

 Setup  ( 1 λ )  :    ( param , ( 0 , 0 * ) , ( , * ) )   R  ob  ( 1 λ ) ,   0 := ^  ( b 0 , 1 , b 0 , 3 , b 0 , 5 ) ,   ^ := (b 1 , …  , b 4 , b 15 , b 16 ) ,   ^ 0 , pk * := b 0 , 4 * , ^ 0 ,sk * := ( b 0 , 1 * , b 0 , 3 * ) ,  ^ pk * := ( b 1 * , b 2 * , b 13 *, b 14 * ) , ^ sk * := ( b 3 * , b 4 * ) ,   return [ Formula   190] pk := ( 1 λ , param , 0 , ^  ^ , ^ 0 , pk * , ^ pk 0 ) , sk := ( ^ 0, sk * , ^ sk * ) .    ob  ( 1 λ )  :    := ( q , , T , g , e )  R   bpg  ( 1 λ ) , ψ   R  q × ,   N 0 := 5 ,   N 1 := 16 ,  for    t = 0 , 1 ,  := ( q , t , T , t , e ) :=  dpvs  ( 1 λ ,N t , ) ,   X t := ( χ t , i , j ) i , j = 1 , …  , N t   U  GL ( N t , q ) ,   X t * := ( ϑ t , i , j ) i , j = 1 , …  , N t := ψ ·( X t T ) - 1 ,   hereafter ,   χ → t , i    and    ϑ → t , i  denote   the   i  -  th   rows   of   X t   and   Xt *    for    i = 1 , …  , N t ,   respectively ,   b t , i:= ( χ → t , i ) t = ∑ j = 1 N t  χ t , i , j  a t , j  for    i =1 , …  , N t ,  t := ( b t , 1 , …  , b t , N t ) ,   b t , i * :=( ϑ → t , i ) t = ∑ j = 1 N t  ϑ t , i , j  a t , j    for    i= 1 , …  , N t ,  t * := ( b t , 1 * , …  , b t , N t * ) ,   g T:= e  ( g , g ) ψ ,   param := ( { } t = 0 , 1 , g T ) ,   return   ( param , , * ) .  KeyGen  ( pk , sk , ( v 1 , …  , v L ) ∈ q L ) :    for    j = 1 , …  , 2  L ;    τ = L + 1 , …  , d ;   ι = 1 , 2 ;    ψ , μ dec , t , μ ran , 1 , j , t , s dec , t , sran , 1 , j , t ,   θ dec , t , θ ran , 1 , j , t   U  q    for   t = 1 , …  , L ,   μ del , ( τ , ι ) , t , μ ran , 2 , τ , ι ,s del , ( τ , ι ) , t , s ran , 2 , τ , t ,   θ del , ( τ , ι ) , t ,θ ran , 2 , τ , t   U  q    for    t = 1 , …  , L + 1 , [Formula   191 ]  s dec , 0 := ∑ t = 1 L  s dec , t , s del , ( τ , ι) , 0 := ∑ t = 1 L  s del , ( τ , ι ) , t ,   s ran , 1 , j , 0 := ∑t = 1 L  s ran , 1 , j , t , s ran , 2 , τ , 0 := ∑ t = 1 L + 1  s ran, 2 , τ , t ,   η → dec , t , η → ran , 1 , j , t   U  q 2   for    t = 0 , …  , L ,   η → del , ( t , ι ) , t , η → ran , 2 ,τ , t   U  q 2    for    t = 0 , …  , L + 1 , k L , dec * := (( - s dec , 0 , 0 , 1 , η dec , 0 , 0 ) 0 * , ( μ dec , t  ( t , - 1 ), s dec , t + θ dec , t  v t , - θ dec , t , 0 8 , η → dec , t , 0 2) *  :  t = 1 , …  , L ) ,  k L , del  ( τ , ι ) * := ( ( - s del ,( τ , ι ) , 0 , 0 , 0 , η del , ( τ , ι ) , 0 , 0 )  0 *  ( μ del , (τ , ι ) , t  ( t , - 1 )  s del , ( τ , ι ) , t + θ del , ( τ , ι ) ,t  v t , - θ del  ( τ , ι ) , t , 0 8 , η → del , ( τ , ι ) , t , 0 2)  *  :   t = 1 , …  , L , ( μ del , ( τ , ι ) , L + 1  ( τ , - 1) , π del , ( τ , ι ) , L + 1 , 1 , π del , ( τ , ι ) , L + 1 , 2 , 0 8, η → del , ( τ , 2 ) , L + 1 , 0 2 )  η del , ( τ , 2 ) , L + 1 , 0 2)  * )    where ,  ( π del , ( τ , ι ) , L + 1 , ι , π del , ( τ ,ι ) , L + 1 , 2 ) := { ( s del , ( τ , 1 )  L + 1 + ψ , 0 ) if   ι =1 , ( s del , ( τ , 2 ) , L + 1 , ψ ) if   ι = 2 , [ Formula   192 ]k L , ran , 1 , j * := ( ( - s ran , 1 , j , 0 , 0 , 0 , η ran , 1 , j ,0 , 0 ) 0 * , ( μ ran , 1 , j , t  ( t , - 1 ) , s ran , 1 , j , t + θran , 1 , j , t  v t , - θ ran , 1 , j , t , 0 8 , η → ran , 1 , j , t, 0 2 )  *  :   t = 1 , …  , L ) ,  k L , ran , 2 , τ * := ( ( - sran , 2 , τ , 0 , 0 , 0 , η ran , 2 , τ , 0 , 0 ) 0 * , ( μ ran , 2 , τ, t  ( t , - 1 ) , s ran , 2 , τ , t + θ ran , 2 , τ , t  v t , - θran , 2 , τ , t , 0 8 , η → ran , 2 , τ , t , 0 2 )  *  :   t = 1 ,…  , L , ( μ ran , 2 , τ , L + 1  ( τ , - 1 ) , s ran , 2 , τ , L + 1, 0 , 0 8 , η → ran , 2 , τ , L + 1 , 0 2 )  * ) ,  sk L := ( k L ,dec * , { k L , del  ( τ , ι ) * } τ = L + 1 , …  , d ; ι = 1 , 2 , {k L , ran , 1 , j * , k L , ran , 2 , τ * } j = 1 , …  , 2  L ; τ =L + 1 , …  , d ) ,   return    sk L .  Enc  ( pk , m ∈ T , ( x 1, …  , x L ) ∈ q L )  :    ω , ζ , ϕ 0 , ϕ t , 1 , ϕ t , 2 , σ t  U  q    for    t = 1 , …  , L ,  c 1 := ( ( ω , 0 , ζ , 0 , ϕ0 ) 0 , ( σ 1  ( 1 , t )  ω  ( 1 , x t ) , 0 8 , 0 2 , ϕ t , 1 , ϕ t, 2 )  :   t = 1 , …  , L ) ,   c 2 := g T ζ  m ,   ct := ( c 1, c 2 ) ,   return   ct . [ Formula   193 ]  Dec  ( pk , k L ,dec , *  ct )  :    m ′ := c 2 / e  ( c 1 , k L , dec * ) ,  return   m ′ . [ Formula   194 ]  Delegate L  ( pk , sk L , v L +1 )  :    for    j ′ = 1 , …  , 2  ( L + 1 ) ;    τ = L + 2, …  , d ; ι = 1 , 2 ;    μ del , ( τ , ι ) ′ , μ ran , 2 , τ ′ , φdel , ( τ , ι ) , φ ran , 2 , τ , ψ ′   U  q ,  p dec * , p del , (τ , ι ) * , p ran , 1 , j ′ * , p ran , 2 , τ *   R  CoreDel L  ( pk, sk L , v L + 1 ) ,   where    CoreDel L  ( pk , sk L , v L + 1 ) :    μ t ′ , ξ , α j   U  q    for    t = 1 , …  , L + 1;    j = 1 , …  , 2  L + 1 ,   return [ Formula   195 ] p * :=∑ t = 1 L + 1  μ t ′  ( tb 1 * - b 2 * ) 〈 t 〉 + ξ  ( v L + 1  k L, del  ( L + 1 , 1 ) * - k L , del  ( L + 1 , 2 ) * ) + ∑ j = 1 2  L α j  k L , ran , 1 , j * + α 2  L + 1  k L , ran , 2 , L + 1 * , r dec * , r ran , 1 , j ′ *   U  span  〈 ( b 0 , 4 * ) 〈 0 〉 , {( b 13 * ) 〈 t 〉  , ( b 14 * ) 〈 t 〉 } t = 1 , … , L + 1 〉 ,  rdel , ( τ , ι ) * , r ran , 2 , τ *   U  span  〈 ( b 0 , 4 * ) 〈 0〉 , { ( b 13 * ) 〈 t 〉  , ( b 14 * ) 〈 t 〉 } t = 1 , … , L + 1 , τ〉 ,   k L + 1 , dec * := k L , dec * + p dec * + r dec * , k L + 1 ,dec  ( τ , ι ) * := p del  ( τ , ι ) * + μ del  ( τ , ι ) ′  ( τ  b 1 * - b 2 * ) ( τ ) + φ del , ( τ , ι )  k L , ran , 2 , τ * + ψ ′ k L , del  ( τ , ι ) * + r del  ( τ , ι ) * ,   k L + 1 , ran , 1 j ′ * := p ran , 1 , j ′ * + r ran , 1 , j ′ * ,  k L + 1 , ran , 2 ,τ * := p ran , 2 , τ * + μ ran , 2 , τ *  ( τ   b 1 * - b 2 * ) ( τ) + φ ran , 2 , τ  k L , ran , 2 , τ * + r ran , 2 , τ * ,  sk L + 1:= ( k L + 1 , dec * , { k L + 1 , del  ( τ , ι ) * } τ = L + 2 , …  ,d ; ι = 1 , 2 , { k L , ran , 1 , j ′ * , k L , ran , 2 , τ * } j ′ = 1, …  , 2  ( L + 1 ) ; τ = L + 2 , …  , d ) ,   return    sk L +1 .

Embodiment 5

This embodiment describes a signature scheme. In particular, thisembodiment describes a signature scheme based on the CP-FE schemedescribed in Embodiment 3.

First, the construction of the signature scheme will be described.

Second, the configuration of a cryptographic system 10 that implementsthe signature scheme will be described.

Third, the signature scheme will be described in detail.

<1. Construction of Signature Scheme>

The signature scheme consists of four algorithms: Setup, KeyGen, Sig,and Ver.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input asecurity parameter λ, and outputs a public parameter pk and a master keysk.

(KeyGen)

A KeyGen algorithm is a probabilistic algorithm that takes as input anattribute set Γ:={(t, {right arrow over (x)}_(t))|{right arrow over(x)}_(t)εF_(q) ^(n), 1≦t≦d}, the public parameter pk, and the master keysk, and outputs a signature key sk_(Γ).

(Sig)

A Sig algorithm is a probabilistic algorithm that takes as input amessage m, the signature key sk_(Γ), an access structure S:=(M, ρ), andthe public parameter pk, and outputs signature data sig.

(Ver)

A Ver algorithm is an algorithm that takes as input the message m, theaccess structure S:=(M, ρ), the signature data sig, and the publicparameter pk, and outputs a value “1” indicating success of verificationof the signature, or a value “0” indicating failure of verification ofthe signature.

<2. Configuration of Cryptographic System 10 that Implements SignatureScheme>

FIG. 30 is a configuration diagram of the cryptographic system 10 thatimplements the signature scheme according to Embodiment 5.

The cryptographic system 10 includes a key generation device 100, asignature device 500, and a verification device 600.

The key generation device 100 executes the Setup algorithm taking asinput a security parameter λ, and thus generates a public parameter pkand a master key sk. Then, the key generation device 100 publishes thegenerated public parameter pk. The key generation device 100 alsoexecutes the KeyGen algorithm taking as input an attribute set Γ, andthus generates a signature key sk_(Γ), and distributes the signature keysk_(Γ) to the signature device 500 in secrecy.

The signature device 500 executes the Sig algorithm taking as input amessage m, an access structure S, the public parameter pk, and thesignature key sk_(Γ), and thus generates signature information {rightarrow over (s)}*. The signature device 500 transmits the generatedsignature information {right arrow over (s)}*, the message m, and theaccess structure S to the verification device 600.

The verification device 600 executes the Ver algorithm taking as inputthe signature information {right arrow over (s)}*, the message m, theaccess structure S, and the public parameter pk, and outputs a value “1”or a value “0”.

<3. Signature Scheme in Detail>

With reference to FIGS. 31 to 37, the signature scheme will bedescribed, and the function and operation of the cryptographic system 10that implements the signature scheme will be described.

FIG. 31 is a configuration diagram of the key generation device 100according to Embodiment 5. FIG. 32 is a configuration diagram of thesignature device 500 according to Embodiment 5. FIG. 33 is aconfiguration diagram of the verification device 600 according toEmbodiment 5.

FIGS. 34 and 35 show flowcharts illustrating the operation of the keygeneration device 100. FIG. 34 is a flowchart illustrating the processof the Setup algorithm. FIG. 35 is a flowchart illustrating the processof the KeyGen algorithm. FIG. 36 is a flowchart illustrating theoperation of the signature device 500 and illustrating the process ofthe Sig algorithm. FIG. 37 is a flowchart illustrating the operation ofthe verification device 600 and illustrating the process of the Veralgorithm.

In the following description, H:=(KH_(λ), H_(hk) ^(λ,D)) is a collisionresistant hash function (see Non-Patent Literature 30). A collisionresistant hash function is a hash function for which it is difficult tofind two inputs that hash to the same output.

Specifically, a collision resistant hash function family H associatedwith the algorithm G_(bpg) and a polynomial poly(λ) specify two items:

1. A family of key spaces is indexed by λ. Each such key space is aprobability space on bit strings denoted by KH_(λ). There must exist aprobabilistic polynomial-time algorithm whose output distribution oninput 1^(λ) is equal to KH_(λ).

2. A family of hash functions is indexed by λ, hk randomly selected fromKH_(λ), and D:={0, 1}^(poly(λ)), where each such function H_(hk) ^(λ,D)maps an element of D to an element of F_(q) ^(x) with q being the firstelement of output param_(G) of algorithm G_(bpg)(1^(λ)). There mustexist a deterministic polynomial-time algorithm that outputs H_(hk)^(λ,D)(d) on input 1^(λ), hk, and dεD.

The function and operation of the key generation device 100 will bedescribed.

The key generation device 100 includes a master key generation unit 110,a master key storage unit 120, an information input unit 130, adecryption key generation unit 140, and a key distribution unit 150. Thedecryption key generation unit 140 includes a random number generationunit 143 and a key element generation unit 144.

With reference to FIG. 34, the process of the Setup algorithm will bedescribed.

(S1301) is basically the same as (S101) in Embodiment 2 shown in FIG. 9.There are differences, however, in that the process of (4) through (8)is executed for t=0, 1, and d+1 and that N₀ is 1+u₀+w₀+z₀. Note thatN_(d+1) is 2+u_(d+1)+w_(d+1)+z_(d+1) and that u_(d+1), w_(d+1), andz_(d+1) are integers of 1 or more.

(S1302: Hash Key Generation Step)

Using the processing device, the master key generation unit 110 computesFormula 196, and thus generates a hash key hk randomly.

$\begin{matrix}{{hk}\overset{R}{}{KH}_{\lambda}} & \left\lbrack {{Formula}\mspace{14mu} 196} \right\rbrack\end{matrix}$

(S1303: Public Parameter Generation Step)

Using the processing device, the master key generation unit 110generates a subbasis B

₀ of the basis B₀, a subbasis B

of the basis B, a subbasis B

_(d+1) of the basis B_(d+1), a subbasis B

*₀ of the basis B*₀, a subbasis B

* of the basis B*, and a subbasis B

*_(d+1) of the basis B*_(d+1), as indicated in Formula 197, the basesB₀, B, B_(d+1), B*₀, B

*, and B*_(d+1) having been generated in (S1301).

₀:=(b _(0,1) ,b _(0,1+u) ₀ _(+w) ₀ ₊₁ , . . . ,b _(0,1+u) ₀ _(+w) ₀_(+z) ₀ )

:=(b ₁ , . . . ,b _(2+n) ,b _(2+n+u+w+1) , . . . ,b _(2+n+u+w+z)),

_(d+1):=(b _(d+1,1) ,b _(d+1,2) ,b _(d+1,2+u) _(d+1) _(+w) _(d+1) ₊₁ , .. . ,b _(d+1,2) +u _(d+1) _(+w) _(d+1) _(+z) _(d+1) )

*₀:=(b* _(0,1+u) ₀ ₊₁ , . . . ,b _(0,1+u) ₀ _(+w) ₀ ),

*:=(b* ₁ , . . . ,b _(2+n) ,b _(2+n+u+1) , . . . ,b _(2+n+u+w)),

*_(d+1):=(b* _(d+1,1) ,b* _(d+1,2) ,b* _(d+1,2+u) _(d+1) ₊1, . . . ,b*_(d+1,2+u) _(d+1) _(+w) _(d+1) )  [Formula 197]

The master key generation unit 110 generates a public parameter pk byputting together the generated subbasis B

₀, subbasis B

, subbasis B̂_(d+1), subbasis B

*₀, subbasis B

*, and subbasis B

*_(d+1), the security parameter λ(1^(λ)) inputted in (S1301), paramgenerated in (S1301), and the hash key hk generated in (S1302).

(S1304: Master Key Generation Step)

The master key generation unit 110 generates a master key sk which isconstituted by a basis vector b*_(0,1) of the basis B

*₀.

(S1305: Master Key Storage Step)

The master key storage unit 120 stores the public parameter pk generatedin (S1303) in the storage device. The master key storage unit 120 alsostores the master key sk generated in (S1304) in the storage device.

In brief, in (S1301) through (S1304), the key generation device 100executes the Setup algorithm indicated in Formula 198, and thusgenerates the public parameter pk and the master key sk. In (S1305), thekey generation device 100 stores the generated public parameter pk andmaster key sk in the storage device.

The public parameter is published via the network, for example, and ismade available for the signature device 500 and the verification device600.

 Setup  ( 1 λ )    hk   R  KH λ ,  ( param , ( 0 , 0 * ) , (, * ) , ( d + 1 , d + 1 * ) )   R   ob  ( 1 λ ) ,   0 := ^  ( b0 , 1 , b 0 , 1 + u 0 + w 0 + 1 , …  , b 0 , 1 + u 0 + w 0 + z 0 ) ,  := ^  ( b 1 , …  , b 2 + n , b 2 + n + u + w + 1 , …  , b 2 + n +u + w + z ) ,   d + 1 := ^  ( b d + 1 , 1 , b d + 1 , 2 , b d + 1 ,2 + u d + 1 + w d + 1 + 1 , … , b d + 1 , 2 + u d + 1 + w d + 1 + z d +1 ) ,   0 * := ^  ( b 0 , 1 + u 0 + 1 * , …  , b 0 , 1 + u 0 + w 0 ),   * := ^  ( b 1 * , …  , b 2 + n * , b 2 + n + u + 1 * , …  , b2 + n + u + w * ) ,  d + 1 * := ^  ( b d + 1 , 1 * , b d + 1 , 2 * , bd + 1 , 2 + u d + 1 + 1 * , …  , b d + 1 , 2 + u d + 1 + w d + 1 * ) ,  sk := b 0 , 1 * ,  pk := ( 1 λ , hk , param , 0 ^ , ^ , d + 1 ^ ,0 * ^ , * , ^  d + 1 * ^ ) .   return   sk , pk . [ Formula   198]

With reference to FIG. 35, the process of the KeyGen algorithm will bedescribed.

(S1401: Information Input Step)

Using the input device, the information input unit 130 takes as input anattribute set Γ:={(t, {right arrow over (x)}_(t):=(x_(t,1), . . . ,x_(t,n)εF_(q) ^(n)))|1≦t≦d}. Note that attribute information of the userof a signature key sk_(Γ) is set in the attribute set Γ, for example.

(S1402: Random Number Generation Step)

Using the processing device, the random number generation unit 143generates random numbers, as indicated in Formula 199.

δ   U  q × ,  ϕ → 0 := ϕ 0 , 1 , …  , ϕ 0 , w 0   U  q w 0 ,  ϕ→ t := ϕ t , 1 , …  , ϕ t , w   U  q w   for   t = 1 , …  , d , ϕ → d + 1 , 1 := ϕ d + 1 , 1 , 1 , …  , ϕ d + 1 , 1 , w d + 1   U q w d + 1 ,  ϕ → d + 1 , 2 := ϕ d + 1 , 2 , 1 , …  , ϕ d + 1 , 2 , wd + 1   U  q w d + 1 , [ Formula   199 ]

(S1403: Key Element Generation Step)

Using the processing device, the key element generation unit 144generates an element k*₀ of the signature key sk_(Γ), as indicated inFormula 200.

k 0 * := ( δ , 0 u 0  u 0 , ϕ → 0  w 0 , 0 z 0  z 0 ) 0 * [ Formula  200 ]

Using the processing device, the key element generation unit 144 alsogenerates an element k*_(t) of the signature key sk_(Γ) for each integert included in the attribute set Γ, as indicated in Formula 201.

k t * := ( δ  ( 1 , t ) , δ   x t →  2 + n , 0 u  u , ϕ → t  w  0z  z ) *   for  ( t , x → t ) ∈ Γ [ Formula   201 ]

Using the processing device, the key element generation unit 144 alsogenerates elements k*_(d+1) and k*_(d+2) of the signature key sk_(Γ), asindicated in Formula 202.

k d + 1 , 1 * := ( δ  ( 1 , 0 )  2 , 0 u d + 1 ,  u d + 1  ϕ → d + 1, 1 ,  w d + 1  0 z d + 1  z d + 1 ) d + 1 * ,  k d + 1 , 2 * := ( δ ( 0 , 1 )  2 , 0 u d + 1 ,  u d + 1  ϕ → d + 1 , 2 ,  w d + 1  0z d + 1  z d + 1 ) d + 1 * [ Formula   202 ]

(S1404: Key Distribution Step)

Using the communication device and via the network, for example, the keydistribution unit 150 distributes the signature key sk_(Γ) having, aselements, the attribute set Γ inputted in (S1401) and k*₀, k*_(t),k*_(d+1), and k*_(d+2) generated in (S1403) to the signature device 500in secrecy. As a matter of course, the signature key sk_(Γ) may bedistributed to the signature device 500 by another method.

In brief, in (S1401) through (S1403), the key generation device 100executes the KeyGen algorithm indicated in Formula 203, and thusgenerates the signature key sk_(Γ). In (S1404), the key generationdevice 100 distributes the generated signature key sk_(Γ) to thesignature device 500.

KeyGen  ( pk , sk , Γ := { ( t , x → t := ( x t , 1 , …  , x t , n ) ∈q n  \  { 0 → } )  1 ≤ t ≤ d } )    δ   U  q × ,   ϕ → 0  U  q w 0 ,   ϕ → t   U  q w    for    t = 1 , …  , d ,  ϕ → d + 1 , 1 , ϕ → d + 1 , 2   U  q w d + 1 ,   k 0 * := ( δ , 0 u0  u 0 , ϕ → 0  w 0 , 0 z 0  z 0 ) 0 *    k t * := ( δ  ( 1 , t ), δ   x t →  2 + n , 0 u  u , ϕ → t  w  0 z  z ) *    for   ( t , x → t ) ∈ Γ ,   k d + 1 , 1 * := ( δ  ( 1 , 0 )  2 , 0 u d +1 ,  u d + 1  ϕ → d + 1 , 1 ,  w d + 1  0 z d + 1  z d + 1 ) d +1 * ,   k d + 1 , 2 * := ( δ  ( 0 , 1 )  2 , 0 u d + 1 ,  u d + 1 ϕ → d + 1 , 2 ,  w d + 1  0 z d + 1  z d + 1 ) d + 1 * ,  T := { 0 ,( d + 1 , 1 ) , ( d + 1 , 2 ) } ⋃ { t  1 ≤ t ≤ d , ( t , x → t ) ∈ Γ },   return    sk Γ := ( Γ , { k t * } t ∈ T ) . [ Formula   203 ]

The function and operation of the signature device 500 will bedescribed.

The signature device 500 includes a signature key acquisition unit 510,an information input unit 520, a complementary coefficient computationunit 530, a signature data generation unit 540, and a data transmissionunit 550. The signature data generation unit 540 includes a randomnumber generation unit 541 and a signature element generation unit 542.

With reference to FIG. 36, the process of the Sig algorithm will bedescribed.

(S1501: Signature Key Acquisition Step)

Using the communication device and via the network, for example, thesignature key acquisition unit 510 obtains the signature key sk_(Γ)generated by the key generation device 100. The signature keyacquisition unit 510 also obtains the public parameter pk generated bythe key generation device 100.

(S1502: Information Input Step)

Using the input device, the information input unit 520 takes as input anaccess structure S:=(M, ρ). Note that a matrix M of the access structureS is to be set according to the conditions of a system to beimplemented.

Using the input device, the information input unit 520 also takes asinput a message m to which a signature is to be appended.

(S1503: Span Program Computation Step)

Using the processing device, the complementary coefficient computationunit 530 checks whether or not the access structure S inputted in(S1502) accepts the attribute set Γ included in the signature key sk_(Γ)obtained in (S1501).

The method for checking whether or not the access structure accepts theattribute set is the same as that described in “5. Concept forimplementing functional encryption in Embodiment 1”.

If the access structure S accepts the attribute set Γ (accept in S1503),the complementary coefficient computation unit 530 advances the processto (S1504). If the access structure S rejects the attribute set Γ(reject in S1503), the complementary coefficient computation unit 530ends the process.

(S1504: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computationunit 530 computes I and a constant (complementary coefficient) α_(i) foreach integer i included in I such that Formula 204 is satisfied.

Σ_(i=I)α_(i) M _(i):={right arrow over (1)}

and I⊂{iε{1, . . . ,L}|[ρ(i)=(t,{right arrow over (v)} _(i))

(t,{right arrow over (x)} _(t))εΓ

{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)=0]

[ρ(i)=

(t,{right arrow over (v)} _(i))

(t,{right arrow over (x)} _(t))εΓ

{right arrow over (v)} _(i) ·{right arrow over (x)} _(t)≠0]}  [Formula204]

(S1505: Random Number Generation Step)

Using the processing device, the random number generation unit 541generates random numbers, as indicated in Formula 205.

ξ   U  q × ,  ( β i )   U  { ( β 1 , …  , β L )  ∑ i = 1 L  βi  M i = 0 → } [ Formula   205 ]

(S1506: Signature Element Generation Step)

Using the processing device, the signature element generation unit 542generates a signature element s*₀ which is an element of signature datasig, as indicated in Formula 206.

s* ₀ :=ξk* ₀ +r* ₀  [Formula 206]

Note that r*₀ is defined by Formula 207 (see Formula 110 through Formula112 and explanations thereof).

$\begin{matrix}{{r_{0}^{*}\overset{U}{}{span}}{\langle{b_{0,{1 + u_{0} + 1}}^{*},\ldots \mspace{14mu},b_{0,{1 + u_{0} + w_{0}}}^{*}}\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 207} \right\rbrack\end{matrix}$

Using the processing device, the signature element generation unit 542also generates a signature element s*_(i) which is an element of thesignature data sig for each integer i=1, . . . , L, as indicated inFormula 208.

s* _(i):=γ_(i) ·ξk* _(t)+Σ_(ι=1) ^(n) y _(i,ι) ·b* _(t,ι) +r* _(i), for1≦i≦L  [Formula 208]

Note that r*_(i) is defined by Formula 209.

$\begin{matrix}{{r_{i}^{*}\overset{U}{}{span}}{\langle{b_{t,{2 + n + u + 1}}^{*},\ldots \mspace{14mu},b_{t,{2 + n + u + w}}^{*}}\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 209} \right\rbrack\end{matrix}$

Note that γ_(i) and {right arrow over (y)}:=(y_(i,i′) (i′=1, . . . , n)are defined by Formula 210.

$\begin{matrix}{{\gamma_{i},{{\overset{\rightarrow}{y}}_{i}:={\left( {y_{i,1},\ldots,y_{i,n}} \right)\mspace{14mu} {are}\mspace{14mu} {defined}\mspace{14mu} {as}}}}{if}{{{i \in {I\bigwedge{\rho (i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},{\gamma_{i}:=\alpha_{i}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{}\left\{ {{{\overset{\rightarrow}{y}}_{i}{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},{if}}{{{i \in {I\bigwedge{\rho (i)}}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{\gamma_{i}:=\frac{\alpha_{i}}{{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}}},{{\overset{\rightarrow}{y}}_{i}\overset{U}{}\left\{ {{{\overset{\rightarrow}{y}}_{i}{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = \beta_{i}} \right\}},{if}}{{{i \notin {I\bigwedge{\rho (i)}}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},{\gamma_{i}:=0},{{\overset{\rightarrow}{y}}_{i}\overset{U}{}\left\{ {{{\overset{\rightarrow}{y}}_{i}{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = {{0\bigwedge y_{i,1}} = \beta_{i}}} \right\}},{if}}{{{i \notin {I\bigwedge{\rho (i)}}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{\gamma_{i}:=0},{{\overset{\rightarrow}{y}}_{i}\overset{U}{}\left\{ {{{\overset{\rightarrow}{y}}_{i}{{\overset{\rightarrow}{y}}_{i} \cdot {\overset{\rightarrow}{v}}_{i}}} = \beta_{i}} \right\}}}} & \left\lbrack {{Formula}\mspace{14mu} 210} \right\rbrack\end{matrix}$

Using the processing device, the signature element generation unit 542also generates a signature element s*_(L+1) which is an element of thesignature data sig, as indicated in Formula 211.

s* _(L+1):=ξ(k* _(d+1,1) +H _(hk) ^(λ,D)(m∥

)·k* _(d+1,2))+r* _(L+1)  [Formula 211]

Note that r*_(L+1) is defined by Formula 212.

$\begin{matrix}{{r_{L + 1}^{*}\overset{U}{}{span}}{\langle{b_{{d + 1},{2 + u_{d + 1} + 1}}^{*},\ldots \mspace{14mu},b_{{d + 1},{2 + u_{d + 1} + w_{d + 1}}}^{*}}\rangle}} & \left\lbrack {{Formula}\mspace{14mu} 212} \right\rbrack\end{matrix}$

(S1507: Data Transmission Step)

Using the communication device and via the network, for example, thedata transmission unit 550 transmits the signature data sig includingthe signature element s*₀, the signature element s*_(i) (i=1, . . . ,L), the signature element s*_(L+1), the message m, and the accessstructure S:=(M, ρ) to the verification device 600. As a matter ofcourse, the signature data sig may be transmitted to the verificationdevice 600 by another method.

In brief, in (S1501) through (S1506), the signature device 500 executesthe Sig algorithm indicated in Formula 213, and thus generates thesignature data sig. In (S1507), the signature device 500 transmits thegenerated signature data sig to the verification device 600.

 Sig  ( pk , sk Γ , m , := ( M , ρ ) )  :    If   := ( M , ρ )  accepts   Γ := { ( t , x → t ) } ,   then   compute   I  and   { α i } i ∈ I   such   that    ∑ i ∈ I   α i  M i := 1→    and   I ⊆ { i ∈ { 1 , …  , L }  [ ρ  ( i ) = ( t , v → i )⋀ ( t , x → t ) ∈ Γ ⋀ v → i · x → t = 0 ] ⋁ [ ρ  ( i ) =  ( t , v → i) ⋀ ( t , x → t ) ∈ Γ ⋀ v → i · x → t ≠ 0 ] } ,   ξ  ← U  q x , ( βi )  ← U  { ( β 1 , …  , β L )  ∑ i = 1 L   β i  M i = 0 → } ,  s 0 * := ξ   k 0 * + r 0 * ,   where    r 0 *  ← U  span  〈b 0 , 1 + u 0 + 1 , …  , b 0 , 1 + u 0 + w 0 * 〉 ,   s i * := γ i ·ξ   k t * + ∑ t = 1 n   y i , t · b t , i * + r i * , for   1 ≤ i≤ L ,   where    r i *  ← U  span  〈 b t , 2 + n + u + 1 , … , b t , 2 + n + u + w * 〉 ,   and    γ i , y → i := ( y i , 1 , … , y i , n )   are   defined   as    if   i ∈ I ⋀ ρ  ( i )= ( t , v → i ) , γ i := α i ,   y → i  ← U  { y → i  y → i · v → i= 0 ⋀ y i , 1 = β i } ,   if   i ∈ I ⋀ ρ  ( i ) =  ( t , v → i ) ,  γ i := α i v → i · x → t ,   y → i  ← U  { y → i  y → i · v → i= β i } ,   if   i ∉ I ⋀ ρ  ( i ) = ( t , v → i ) , γ i := 0 ,  y ← i  ← U  { y → i  y → i · v i = 0 ⋀ y i , 1 = β i } ,   if   i∉ I ⋀ ρ  ( i ) =  ( t , v → i ) ,   γ i := 0 , y → i  ← U  { y → i y → i · v → i = β i } ,   s L + 1 * := ξ ( k d + 1 , 1 * + H hk λ ,D  ( m   ) · k d + 1 , 2 * ) + r L + 1 * ,   where   r L + 1 * ← U  span  〈 b d + 1 , 2 + u d + 1 + 1 , …  , b d + 1 , 2 + u d +1 * + w d + 1 〉 ,   return   s → * := ( s 0 * , …  , s L + 1 * ) .[ Formula   213 ]

The function and operation of the verification device 600 will bedescribed.

The verification device 600 includes a public parameter acquisition unit610, a data receiving unit 620, a verification data generation unit 630,and a pairing operation unit 640. The verification data generation unit630 includes an f vector generation unit 631, an s vector generationunit 632, a random number generation unit 633, and a verificationelement generation unit 634.

With reference to FIG. 37, the process of the Ver algorithm will bedescribed.

(S1601: Public Parameter Acquisition Step)

Using the communication device and via the network, for example, thepublic parameter acquisition unit 610 obtains the public parameter pkgenerated by the key generation device 100.

(S1602: Signature Data Reception Step)

Using the communication device and via the network, for example, thedata receiving unit 620 receives the signature data sig transmitted bythe signature device 500.

(S1603: f Vector Generation Step)

Using the processing device, the f vector generation unit 631 randomlygenerates a vector {right arrow over (f)} having r pieces of elements,as indicated in Formula 214.

f →  ← U  q r [ Formula   214 ]

(S1604: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix Mof the access structure S included in the signature data sig received in(S1602) and the vector {right arrow over (f)} having r pieces ofelements generated in (S1603), the s vector generation unit 632generates a vector {right arrow over (s)}^(T), as indicated in Formula215.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrowover (f)} ^(T)  [Formula 215]

Using the processing device and based on the vector {right arrow over(f)} generated in (S1603), the s vector generation unit 632 alsogenerates a value s₀, as indicated in Formula 216. Note that {rightarrow over (1)} is a vector which has a value 1 in all its elements.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 216]

(S1605: Random Number Generation Step)

Using the processing device, the random number generation unit 633generates random numbers, as indicated in Formula 217.

η → 0 := η 0 , 1 , …  , η 0 , z 0  ← U  q z 0 ,  η → L + 1 := η L +1 , 1 , …  , η L + 1 , z d + 1  ← U  q z d + 1 ,  θ L + 1 , s L + 1 ← U  q ,  for   1 ≤ i ≤ L ,  if   ρ  ( i ) = ( t , v → i )  μi ,  θ i  ← U  q , η → i  ← U  q z ,  if   ρ  ( i ) =  ( t , v→ i )  μ i  ← U  q , η → i  ← U  q z [ Formula   217 ]

(S1606: Verification Element Generation Step)

Using the processing device, the verification element generation unit634 generates a verification element c₀ which is an element of averification key, as indicated in Formula 218.

c 0 := ( - s 0 - s L + 1 , 0 u 0  u 0 , 0 w 0  w 0 , η → 0  z 0 )  0[ Formula   218 ]

Using the processing device, the verification element generation unit634 also generates a verification element c_(i) which is an element ofthe verification key for each integer i=1, . . . , L, as indicated inFormula 219.

for   1 ≤ i ≤ L ,  if   ρ  ( i ) = ( t , v i )   if   s i * ∉t , return   0   else   c i := ( μ i  ( t , - 1 ) , s i  e 1 + θi  v →  2 + n i , 0 u  u , 0 w  w , η →  z )  ,  if   ρ  ( i )=  ( t , v → i )   if   s i * ∉ t , return   0   else   c i:= ( μ i  ( t , - 1 ) , s i  v →  2 + n i , 0 u  u , 0 w  w , η → z i )  [ Formula   219 ]

Using the processing device, the verification element generation unit634 also generates a verification element c_(L+1) which is an element ofthe verification key, as indicated in Formula 220.

c L + 1 := ( s L + 1 - θ L + 1  H hk λ , D ( m   ) , θ L + 1 ,  2 0 u d + 1  u d + 1 , 0 w d + 1  w d + 1 , η → L + 1  z d + 1 )  d +1 [ Formula   220 ]

(S1607: First Pairing Operation Step)

Using the processing device, the pairing operation unit 640 computes apairing operation e (b_(0,1), s*₀).

If the result of computing the pairing operation e (b_(0,1), s*₀) is avalue 1, the pairing operation unit 640 outputs a value 0 indicatingfailure of verification of the signature and ends the process. If theresult of computing the pairing operation e (b_(0,1), s*₀) is other thana value 1, the pairing operation unit 640 advances the process to S1608.

(S1608: Second Pairing Operation Step)

Using the processing device, the pairing operation unit 640 computes apairing operation indicated in Formula 221.

Π_(i=0) ^(L+1) e(c _(i) ,s* _(i))  [Formula 221]

If the result of computing the pairing operation indicated in Formula221 is a value 1, the pairing operation unit 640 outputs a value 1indicating success of verification of the signature. If the result isany other value, the pairing operation unit 640 outputs a value 0indicating failure of verification of the signature.

In brief, in (S1601) through (S1608), the verification device 600executes the Ver algorithm indicated in Formula 222, and thus verifiesthe signature data sig.

 Ver  ( pk , m , := ( M , ρ ) , s → * )    f →  ← U  q r ,   s→ T := ( s 1 , …  , s L ) T := M · f → T ,   s 0 := 1 → · f → T ,  η → 0  ← U  q z 0 , η → L + 1  ← U  q z d + 1 , θ L + 1  s L + 1 ← U  q ,   c 0 := ( - s 0 - s L + 1 , 0 u 0  u 0 , 0 w 0  w 0 , η →0  z 0 )  0 ,   for   1 ≤ i ≤ L ,   if   ρ  ( i ) = ( t , v →i ) ,   if   s i * ∉ t , return   0 ,   else   μ i , θ i  ← U q , η → i  ← U  q z ,   c i := ( μ i  ( t , - 1 ) , s i  e 1 + θi  v →  2 + n i , 0 u  u , 0 w  w , η →  z )  ,   if   ρ  ( i) =  ( t , v → i ) ,   if   s i * ∉ t , return   0 ,   else  μ i  ← U  q , η → i  ← U  q z ,   c i := ( μ i  ( t , - 1 ) , s i v →  2 + n i , 0 u  u , 0 w  w , η →  z )  ,  c L + 1 := ( s L +1 - θ L + 1  H hk λ , D ( m   ) , θ L + 1 ,  2  0 u d + 1  u d + 1, 0 w d + 1  w d + 1 , η → L + 1  z d + 1 )  d + 1    return   0  if   e  ( b 0 , 1 , s 0 * ) = 1 ,   return   1   if   ∏ i= 0 L + 1   e  ( c i , s i * ) = 1 ,   return   0   otherwise .[ Formula   222 ]

As described above, as in the cryptographic systems 10 according toEmbodiments 2 to 4, in the cryptographic system 10 according toEmbodiment 5, the index parts are provided, so that the bases that areused for every attribute category can be constructed as the common bases(basis B and basis B*). As a result, only the basis B and the basis B*need to be included in a public parameter, eliminating the need forreissuing the public parameter when an attribute category is to be addedat a later stage.

As in Embodiments 2 to 4, for the index parts, it is required that 0 beobtained as a result of an inner-product operation of the index parts.Therefore, although the 2-dimensional index parts, namely the basisvectors b*₁ and b*₂ and the basis vectors b₁ and b₂, are employed in theabove description, the index parts are not limited to 2-dimensional andmay be 3-dimensional or higher-dimensional. The values assigned to theindex parts are not limited to those described above, and a differentassignment arrangement may be employed.

The signature scheme based on the functional encryption scheme has beendescribed above. However, as explained in Embodiment 3 that thefunctional encryption scheme can be modified into an attribute-basedencryption scheme, so the signature scheme based on the functionalencryption scheme can be modified into a signature scheme based on theattribute-based encryption scheme.

Embodiment 6

This embodiment describes a multi-authority functional encryption schemeand a multi-authority signature scheme.

Multi-authority signifies the presence of a plurality of authorities whogenerate the user's decryption key (or signature key).

In an ordinary functional encryption, the security of the whole systemdepends on one certain party (authority). For example, in thecryptographic system 10 described in Embodiment 2 or 3, the security ofthe whole system depends on the key generation device 100. If the mastersecret key sk which is the secret key of the key generation device 100is compromised, the security of the whole system will be broken.

With the multi-authority scheme, however, even if the security of someauthority is broken or the secret key (master key) of some authority iscompromised, only part of the system stops functioning, and theremaining portion of the system can function properly.

FIG. 38 is an explanatory drawing of the multi-authority. In FIG. 38, anarrowly-defined cryptographic process is used as an example.

In FIG. 38, a government office manages attributes such as address,telephone number, and age. The police manage attributes such as type ofdriver's license. Company A manages attributes such as position inCompany A and belonging department in Company A. A decryption key 1associated with the attributes managed by the government office isissued by the government office. A decryption key 2 associated with theattributes managed by the police is issued by the police. A decryptionkey 3 associated with the attributes managed by Company A is issued byCompany A.

A decryptor who decrypts a ciphertext decrypts the ciphertext using adecryption key formed by putting together the decryption keys 1, 2, and3 issued by the respective authorities such as the government office,the police, and Company A. That is, when seen from the decryptor, adecryption key formed by putting together the decryption keys issued bythe respective authorities is the single decryption key issued to him orher.

For example, in a case where the master key of Company A is compromised,although the cryptographic processing system does not function regardingthe attributes of Company A, it functions regarding the attributesmanaged by the other authorities. That is, concerning the attributesmanaged by Company A there is a risk of decryption by a user havingattributes other than the specified attributes. However, concerningattributes other than those managed by Company A, decryption is possibleonly by a user having the specified attributes.

As is seen from the example of FIG. 38, according to the functionalencryption, it is normal that a plurality of authorities are present,and that each authority manages a certain category (subspace) ordefinition range in the attributes and issues (a part of) a decryptionkey regarding the attribute of the user in this category.

When any party can serve as an authority and issue (a part of) adecryption key without interacting with the other parties, and each usercan obtain (a part of) the decryption key without interacting with theother parties, this scheme is called a decentralized multi-authorityscheme.

For example, if a central authority exists, the scheme is notdecentralized. A central authority is an authority superior to the otherauthorities. If the security of the central authority is broken, thesecurity of every authority will be broken.

Non-Patent Literature 31 describes a decentralized multi-authorityfunctional encryption scheme, and Non-Patent Literature 30 describes anon-decentralized multi-authority signature scheme. As in the case ofthe encryption scheme and the signature scheme described in the aboveembodiments, the schemes described in Non-Patent Literature 30 andNon-Patent Literature 31 can be constructed such that there is no needto reissue a public parameter when an attribute category is to be added.

FIG. 39 is an explanatory drawing of a functional encryption scheme thatallows for addition of an attribute category in a case ofmulti-authority.

In FIG. 39, as in FIG. 38, a government office manages attributes suchas address, telephone number, and age. The police manage attributes suchas type of driver's license. Company A manages attributes such asposition in Company A and belonging department in Company A. Adecryption key 1 associated with the attributes managed by thegovernment office is issued by the government office. A decryption key 2associated with the attributes managed by the police is issued by thepolice. A decryption key 3 associated with the attributes managed byCompany A is issued by Company A.

Note here that the government office generates a basis B

₁ and a basis B

*₁ as a public parameter pk and a master secret key sk, respectively.Using the basis B

*₁, the government office generates the decryption key 1 concerning theattributes such as address, telephone number, and age. Similarly, thepolice generate a basis B

₂ and a basis B

*₂ as a public parameter pk and a master secret key sk, respectively.Using the basis B

*₂, the police generate the decryption key 2 concerning the attributessuch as type of driver's license. Similarly, Company A generates a basisB

₃ and a basis B

*₃ as a public parameter pk and a master secret key sk, respectively.Using the basis B

*₃, Company A generates the decryption key 3 concerning the attributessuch as position in Company A and belonging department in Company A.

A sender generates a ciphertext by setting the attributes such asaddress, telephone number, and age using the basis B

₁, setting the attributes such as type of driver's license using basis B

₂, and setting the attributes such as position in Company A andbelonging department in Company A using basis B

₃. A decryptor decrypts the ciphertext using the decryption keys 1 to 3.

For example, when an attribute category managed by the government officeis to be added, the attribute category can be added without reissuingthe public parameter pk of the government office.

The functional encryption scheme that allows for addition of anattribute category has been described herein. However, the same conceptcan basically be applied to the signature scheme adapted from thefunctional encryption scheme.

Embodiment 7

In the above embodiments, the method for implementing the processes ofthe cryptographic primitives in the dual vector spaces has beendescribed. In Embodiment 7, a method for implementing the processes ofthe cryptographic primitives in dual additive groups will be described.

More specifically, in the above embodiments, the processes of thecryptographic primitives are implemented in the cyclic group of theprime order q. When a ring R is expressed using a composite M asindicated in Formula 223, the processes of the cryptographic primitivesdescribed in the above embodiments can also be applied to an additivegroup having the ring R as a coefficient.

:=

/M

  [Formula 223]

where

: an integer; andM: a composite number

By changing F_(q) to R in the algorithms described in the aboveembodiments, the processes of the cryptographic primitives in dualadditive groups can be implemented.

From the view point of security proof, in the above embodiments, ρ(i)for each integer i=1, . . . , L may be limited to a positive tuple (t,{right arrow over (v)}) or negative tuple

(t, {right arrow over (v)}) for respectively different identificationinformation t.

In other words, when ρ(i)=(t, {right arrow over (v)}) or ρ(i)=

(t, {right arrow over (v)}), let a function {tilde over (ρ)} be map of{1, . . . , L}→{1, . . . , d} such that {tilde over (ρ)}(i)=t. In thiscase, {tilde over (ρ)} may be limited to injection. Note that ρ(i) isρ(i) in the access structure S:=(M, ρ(i)) described above.

A hardware configuration of the cryptographic system 10 (the keygeneration device 100, the encryption device 200, the decryption device300, the key delegation device 400, the signature device 500, and theverification device 600) according to the embodiments will be described.

FIG. 40 is a diagram showing an example of a hardware configuration ofthe key generation device 100, the encryption device 200, the decryptiondevice 300, the key delegation device 400, the signature device 500, andthe verification device 600.

As shown in FIG. 40, each of the key generation device 100, theencryption device 200, the decryption device 300, the key delegationdevice 400, the signature device 500, and the verification device 600includes the CPU 911 (also referred to as a Central Processing Unit,central processing device, processing device, arithmetic device,microprocessor, microcomputer, or processor) that executes programs. TheCPU 911 is connected via a bus 912 to the ROM 913, the RAM 914, an LCD901 (Liquid Crystal Display), the keyboard 902 (K/B), the communicationboard 915, and the magnetic disk device 920, and controls these hardwaredevices. In place of the magnetic disk device 920 (fixed disk device), astorage device such as an optical disk device or memory card read/writedevice may be employed. The magnetic disk device 920 is connected via apredetermined fixed disk interface.

The ROM 913 and the magnetic disk device 920 are examples of anonvolatile memory. The RAM 914 is an example of a volatile memory. TheROM 913, the RAM 914, and the magnetic disk device 920 are examples of astorage device (memory). The keyboard 902 and the communication board915 are examples of an input device. The keyboard 902 is an example of acommunication device. The LCD 901 is an example of a display device.

The magnetic disk device 920, the ROM 913, or the like stores anoperating system 921 (OS), a window system 922, programs 923, and files924. The programs 923 are executed by the CPU 911, the operating system921, and the window system 922.

The programs 923 store software and programs that execute the functionsdescribed in the above description as the “master key generation unit110”, the “master key storage unit 120”, the “information input unit130”, the “decryption key generation unit 140”, the “key distributionunit 150”, the “public parameter acquisition unit 210”, the “informationinput unit 220”, the “cipher data generation unit 230”, the “datatransmission unit 240”, the “decryption key acquisition unit 310”, the“data receiving unit 320”, the “span program computation unit 330”, the“complementary coefficient computation unit 340”, the “pairing operationunit 350”, the “message computation unit 360”, the “decryption keyacquisition unit 410”, the “information input unit 420”, the “delegationkey generation unit 430”, the “key distribution unit 440”, the“signature key acquisition unit 510”, the “information input unit 520”,the “complementary coefficient computation unit 530”, the “signaturedata generation unit 540”, the “data transmission unit 550”, the “publicparameter acquisition unit 610”, the “data receiving unit 620”, the“verification data generation unit 630”, the “pairing operation unit640”, and the like. The programs 923 store other programs as well. Theprograms are read and executed by the CPU 911.

The files 924 store information, data, signal values, variable values,and parameters such as the “public parameter pk”, the “master secret keysk”, the “decryption keys sk_(S) and sk_(Γ)”, the “ciphertexts ct_(Γ)and ct_(S)”, the “access structure S”, the “attribute information”, andthe “message m”, as the items of a “file” and “database”. The “file” and“database” are stored in a recording medium such as a disk or memory.The information, data, signal values, variable values, and parametersstored in the recording medium such as the disk or memory are read outto the main memory or cache memory by the CPU 911 through a read/writecircuit, and used for operations of the CPU 911 such as extraction,search, look-up, comparison, calculation, computation, processing,output, printing, and display. The information, data, signal values,variable values, and parameters are temporarily stored in the mainmemory, cache memory, or buffer memory during the operations of the CPU911 including extraction, search, look-up, comparison, calculation,computation, processing, output, printing, and display.

The arrows in the flowcharts in the above description mainly indicateinput/output of data and signals. The data and signal values are storedin the memory of the RAM 914, the recording medium such as an opticaldisk, or in an IC chip. The data and signals are transmitted online viaa transmission medium such as the bus 912, signal lines, or cables, orvia electric waves.

What is described as “unit” in the above description may be “circuit”,“device”, “equipment”, “means”, or “function”, and may also be “step”,“procedure”, or “process”. What is described as “device” may be“circuit”, “equipment”, “means”, or “function”, and may also be “step”,“procedure”, or “process”. What is described as “process” may be “step”.In other words, what is described as “unit” may be realized by firmwarestored in the ROM 913. Alternatively, what is described as “unit” may beimplemented solely by software, or solely by hardware such as anelement, a device, a substrate, or a wiring line, or by a combination ofsoftware and firmware, or by a combination including firmware. Thefirmware and software are stored as programs in the recording mediumsuch as the ROM 913. The programs are read by the CPU 911 and areexecuted by the CPU 911. That is, each program causes the computer orthe like to function as each “unit” described above. Alternatively, eachprogram causes the computer or the like to execute a procedure or amethod of each “unit” described above.

REFERENCE SIGNS LIST

10: cryptographic system; 100: key generation device; 110: master keygeneration unit; 120: master key storage unit; 130: information inputunit; 140: decryption key generation unit; 141: f vector generationunit; 142: s vector generation unit; 143: random number generation unit;144: key element generation unit; 145: randomizing element generationunit; 146: delegation element generation unit; 150: key distributionunit; 200: encryption device; 210: public parameter acquisition unit;220: information input unit; 230: cipher data generation unit; 231:random number generation unit; 232: cipher element generation unit; 240:data transmission unit; 300: decryption device; 310: decryption keyacquisition unit; 320: data receiving unit; 330: span programcomputation unit; 340: complementary coefficient computation unit; 350:pairing operation unit; 360: message computation unit; 400: keydelegation device; 410: decryption key acquisition unit; 420:information input unit; 430: delegation key generation unit; 431: randomnumber generation unit; 432: lower-level key element generation unit;433: lower-level randomizing element generation unit; 434: lower-leveldelegation element generation unit; 440: key distribution unit; 500:signature device; 510: signature key acquisition unit; 520: informationinput unit; 530: complementary coefficient computation unit; 540:signature data generation unit; 541: random number generation unit; 542:signature element generation unit; 550: data transmission unit; 600:verification device; 610: public parameter acquisition unit; 620: datareceiving unit; 630: verification data generation unit; 631: f vectorgeneration unit; 632: s vector generation unit; 633: random numbergeneration unit; 634: verification element generation unit; 640: pairingoperation unit

1. A cryptographic system configured to perform a process using apredetermined basis B and a predetermined basis B*, the cryptographicsystem comprising: a transmission device configured to generate atransmission-side vector tj for at least one index j out of a pluralityof indices j, the transmission-side vector tj being a vector in whichinformation J assigned in advance to the index j is set as a coefficientof a predetermined basis vector b_(index) of the basis B, and aparameter Φ_(j) for the index j is set as a coefficient of another basisvector b_(att) of the basis B; and a reception device configured to usea reception-side vector r_(j′) for at least one index j′ out of aplurality of indices j′, the reception-side vector r_(j′) being a vectorin which information J′ having an inner-product of 0 with theinformation J assigned in advance to the index j corresponding to theindex j′ is set as a coefficient of a basis vector b*_(index) of thebasis B* corresponding to the basis vector b_(index), and a parameterΨj′ for the index j′ is set as a coefficient of a basis vector b*_(att)of the basis B* corresponding to the basis vector b_(att), and compute aproduct of pairing operations on corresponding pairs of the basisvectors of the transmission-side vector t_(j) for the index j and thereception-side vector r_(j′) for the index j′ corresponding to the indexj.
 2. The cryptographic system according to claim 1, wherein thetransmission device is an encryption device that generates a ciphertextct, and is configured to use an integer t of t=1, . . . , d (d being aninteger of 1 or more) as the index j, use attribute information x_(t)for the integer t as the parameter Φ_(j) for the index j, and generatethe ciphertext ct including as the transmission-side vector t_(j) acipher vector c_(t) in which information J assigned to the integer t isset as the coefficient of the basis vector b_(index) and the attributeinformation x_(t) for the integer t is set as the coefficient of thebasis vector b_(att), for at least one integer t, and wherein thereception device is a decryption device that decrypts the ciphertext ct,and is configured to use an integer i of i=1, . . . , L (L being aninteger of 1 or more) as the index j′, use predicate information v_(i)for the integer i as the parameter Ψ_(j′) for the index j′, use as thereception-side vector r_(j′) a key vector k*_(i) in which information J′having an inner-product of 0 with the information J assigned to theinteger t corresponding to the integer i is set as the coefficient ofthe basis vector b*_(index), and predicate information v_(i) for theinteger i is set as the coefficient of the basis vector b*_(att), foreach integer i, and compute a product of pairing operations oncorresponding pairs of the basis vectors of the key vector k*_(i) forthe each integer i and the cipher vector c_(t) for the integer tcorresponding to the each integer i.
 3. The cryptographic systemaccording to claim 2, wherein the cryptographic system is configured toperform the process using a predetermined basis B₀ and a predeterminedbasis B*₀, and a predetermined basis B and a predetermined basis B*,wherein the transmission device is configured to generate the ciphertextct including a cipher vector c₀ and a cipher vector c_(t) for at leastone integer t of t=1, . . . , d, as indicated in Formula 1, and whereinthe reception device is configured to compute Formula 3 for a key vectork*_(i) for each integer i of i=0, . . . , L, as indicated in Formula 2,and the cipher vector c_(t) c 0 := ( ω , 0 u 0  u 0 , ζ , 0 w 0  w 0 ,ϕ → 0  z 0 )  0  ( ,  c t := ( σ t  ( 1 , t ) , ω   x → t  2 + n, 0 u  u , 0 w  w , ϕ → t  z )  B [ Formula   1 ] where {rightarrow over (x)}_(t):=(x_(t,1), . . . , x_(t,n)), ω, ζ, {right arrow over(φ)}₀=φ_(0,1), . . . , φ_(0,z) ₀ , σ_(t), {right arrow over(φ)}_(t)=φ_(t,1), . . . , φ_(t,z) are random numbers, n is an integer of1 or more, and u₀, w₀, z₀, u, w, z are each an integer of 0 or more,$\begin{matrix}{{k_{0}^{*}:={\left( {{- s_{0}},\overset{\overset{u_{0}}{}}{0^{u_{0}}},1,\overset{\overset{w_{0}}{}}{{\overset{\rightarrow}{\eta}}_{0}},\overset{\overset{z_{0}}{}}{0^{z_{0}}}} \right)B_{0}^{*}}},{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},{k_{i}^{*}:={\left( {{\overset{\overset{2 + n}{}}{{{\mu_{i}\left( {t,{- 1},} \right)},{{s_{i}{\overset{\rightarrow}{e}}_{i}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}}}\mspace{14mu}}\overset{\overset{u}{}}{0^{u}}},\overset{\overset{w}{}}{{\overset{\rightarrow}{\eta}}_{i}},\overset{\overset{z}{}}{0^{z}}} \right)B^{*}}},{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},{k_{i}^{*}:={\left( {{\overset{\overset{2 + n}{}}{{{\mu_{i}\left( {t,{- 1},} \right)},{s_{i}{\overset{\rightarrow}{v}}_{i}}}\mspace{14mu}}\overset{\overset{u}{}}{0^{u}}},\overset{\overset{w}{}}{{\overset{\rightarrow}{\eta}}_{i}},\overset{\overset{z}{}}{0^{z}}} \right)B^{*}}}} & \left\lbrack {{Formula}\mspace{14mu} 2} \right\rbrack\end{matrix}$ where {right arrow over (v)}_(i):=(v_(i,1), . . . ,v_(i,n)), {right arrow over (η)}₀=η_(0,1), . . . , η_(0,w) ₀ , μ_(i),θ_(i), {right arrow over (η)}_(i)=η_(i,1), . . . , η_(i,w) are randomnumbers, s₀:={right arrow over (1)}·{right arrow over (f)}^(T), {rightarrow over (s)}^(T):=(s₁, . . . , s_(L))^(T):=M·{right arrow over(f)}^(T), {right arrow over (f)} is a vector having r pieces ofelements, M is an L-row and r-column matrix, ρ(i) is a variable to which(t, {right arrow over (v)}_(i)) or

(t, {right arrow over (v)}_(i)) is assigned in advance, n is an integerof 1 or more, and u₀, w₀, z₀, u, w, z are each an integer of 0 or more,$\begin{matrix}{{K:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}^{\;}\; {{e\left( {c_{t},k_{i}^{*}} \right)}\alpha_{i}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}{{e\left( {c_{t},k_{i}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}\mspace{20mu} {where}\mspace{20mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}^{\;}\; {\alpha_{i}M_{i}}}},\mspace{20mu} {where}}\mspace{20mu} {{M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{I \subseteq {\left\{ {{i \in \left\{ {1,{\ldots \mspace{14mu} L}} \right\}}{\begin{matrix}{\begin{bmatrix}{{\rho (i)} = {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in}} \\{{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} = 0}\end{bmatrix}\bigvee} \\\begin{bmatrix}{{\rho (i)} = {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge}}} \\{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}\end{bmatrix}\end{matrix}}} \right\}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack\end{matrix}$
 4. The cryptographic system according to claim 1, whereinthe transmission device is an encryption device that generates aciphertext ct, and is configured to use an integer i of i=1, . . . , L(L being an integer of 1 or more) as the index j, use predicateinformation v_(i) for the integer i as the parameter Φ_(j) for the indexj, and generate the ciphertext ct including as the transmission-sidevector t_(j) a cipher vector c_(i) in which information J assigned tothe integer i is set as the coefficient of the basis vector b_(index),and the predicate information v_(i) for the integer i is set as thecoefficient of the basis vector b_(att), for each integer i, and whereinthe reception device is a decryption device that decrypts the ciphertextct, and is configured to use an integer t of t=1, . . . , d (d being aninteger of 1 or more) as the index j′, use attribute information x_(t)for the integer t as the parameter Ψ_(j′) for the index j′, use as thereception-side vector r_(j′) a key vector k*_(t) in which information J′having an inner-product of 0 with the information J assigned to theinteger i corresponding to the integer t is set as the coefficient ofthe basis vector b*_(index), and attribute information x_(t) for theinteger t is set as the coefficient of the basis vector b*_(att), for atleast one integer t, and compute a product of pairing operations oncorresponding pairs of the basis vectors of the cipher vector c_(i) forthe each integer i and the key vector k*_(t) for the integer tcorresponding to the each integer i.
 5. The cryptographic systemaccording to claim 4, wherein the cryptographic system is configured toperform the process using a predetermined basis B₀ and a predeterminedbasis B*₀, and a predetermined basis B and a predetermined basis B*,wherein the transmission device is configured to generate the ciphertextct including a cipher vector c_(i) for each integer i of i=0, . . . , L,as indicated in Formula 4, and wherein the reception device isconfigured to compute Formula 6 for a key vector k*₀ and a key vectork*_(t) for at least one integer t of t=1, . . . , d, as indicated inFormula 5, and the cipher vector c_(i) c 0 := ( - s 0 , 0 u 0  u 0 , ζ, 0 w 0  w 0 , η → 0  z 0 )  0 ,  if   ρ  ( i ) = ( t , v → i ) , c i := ( μ i  ( t , - 1 , ) , s i  e → i + θ i  v → i   2 + n  0u  u , 0 w  w , η → i  z )  B ,  if   ρ  ( i ) =  ( t , v → i ),  c i := ( μ i  ( t , - 1 , ) , s i  v → i   2 + n  0 u  u , 0 w w , η → i  z )  B * [ Formula   4 ] where {right arrow over(v)}_(i):=(v_(i,1), . . . , v_(i,n)), ζ, {right arrow over(η)}₀=η_(0,1), . . . , η_(0,z) ₀ , μ_(i), θ_(i), {right arrow over(η)}_(i)=η_(i,1), . . . , η_(i,z) are random numbers, s₀:={right arrowover (1)}·{right arrow over (f)}^(T), {right arrow over (s)}^(T):=(s₁, .. . , s_(L))^(T):=M·{right arrow over (f)}^(T), {right arrow over (f)}is a vector having r pieces of elements, M is an L-row and r-columnmatrix, ρ(i) is a variable to which (t, {right arrow over (v)}_(i)) or

(t, {right arrow over (v)}_(i)) is assigned in advance, n is an integerof 1 or more, and u₀, w₀, z₀, u, w, z are each integer of 0 or more,$\begin{matrix}{{k_{0}^{*}:={\left( {\omega,\overset{\overset{u_{0}}{}}{0^{u_{0}}},1,\overset{\overset{w_{0}}{}}{{\overset{\rightarrow}{\phi}}_{0}},\overset{\overset{z_{0}}{}}{0^{z_{0}}}} \right)B_{0}^{*}}},{k_{t}^{*}:={\left( {\overset{\overset{2 + n}{}}{{\sigma_{t}\left( {1,t} \right)},{\omega \; {\overset{\rightarrow}{x}}_{t}}},\overset{\overset{u}{}}{0^{u}},\overset{\overset{w}{}}{{\overset{\rightarrow}{\phi}}_{t}},\overset{\overset{z}{}}{0^{z}}} \right)B}}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack\end{matrix}$ where {right arrow over (x)}_(t):=(x_(t,1), . . . ,x_(t,n)), ω, {right arrow over (φ)}₀=φ_(0,1), . . . , φ_(0,w) ₀ , σ_(t),{right arrow over (φ)}_(t)=φ_(t,1), . . . , φ_(t,w) are random numbers,n is an integer of 1 or more, and u₀, w₀, z₀, u, w, z are each aninteger of 0 or more, $\begin{matrix}{{K:={{e\left( {c_{0},k_{0}^{*}} \right)}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}^{\;}\; {{e\left( {c_{t},k_{i}^{*}} \right)}\alpha_{i}{\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}{{e\left( {c_{t},k_{i}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}\mspace{20mu} {where}\mspace{20mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}^{\;}\; {\alpha_{i}M_{i}}}},\mspace{20mu} {where}}\mspace{20mu} {{M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{I \subseteq {\left\{ {{i \in \left\{ {1,{\ldots \mspace{14mu} L}} \right\}}{\begin{matrix}{\begin{bmatrix}{{\rho (i)} = {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in}} \\{{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} = 0}\end{bmatrix}\bigvee} \\\begin{bmatrix}{{\rho (i)} = {{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge}}} \\{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}\end{bmatrix}\end{matrix}}} \right\}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack\end{matrix}$
 6. The cryptographic system according to claim 1, whereinthe transmission device is an encryption device that generates aciphertext ct, and is configured to use an integer i of i=1, . . . , L(L being an integer of 1 ore more) as the index j, use attributeinformation x_(i) for the integer i as the parameter Φ_(j) for the indexj, and generate the ciphertext ct including as the transmission-sidevector t_(j) a cipher vector c_(i) in which information J assigned tothe integer i is set as the coefficient of the basis vector b_(index),and attribute information x_(i) for the integer i is set as thecoefficient of the basis vector b_(att), for each integer i, and whereinthe reception device is a decryption device that decrypts the ciphertextct, and is configured to use the integer i as the index j′, and usepredicate information v_(i) for the integer i as the parameter Ψ_(j′)for the index j′, use as the reception-side vector r_(j′) a key vectork*_(i) in which information J′ having an inner-product of 0 with theinformation J assigned to the integer i is set as the coefficient of thebasis vector b*_(index), and predicate information v_(i) for the integeri is set as the coefficient of the basis vector b*_(att), for eachinteger i, and compute a product of pairing operations on correspondingpairs of the basis vectors of the key vector k*_(i) and the ciphervector c_(i) for the each integer i.
 7. The cryptographic systemaccording to claim 6, wherein the cryptographic system is configured toperform the process using a predetermined basis B₀ and a predeterminedbasis B*₀, and a predetermined basis B and a predetermined basis B*,wherein the transmission device is configured to generate the ciphertextct including a cipher vector c₁ which is a sum of cipher vectors c_(i)for each integer i of i=0, . . . , L, as indicated in Formula 7, andwherein the reception device is configured to compute a product ofpairing operations on the corresponding pairs of the basis vectors ofthe cipher vector c₁ and a key vector k*_(L,dec) which is a sum of keyvectors k*_(i) for the each integer i, as indicated in Formula 8c ₁:=((ω,0^(u) ⁰ ,ζ,0^(W) ⁰ ,{right arrow over (φ)}₀)_(B) ₀,(σ_(t)(1,t),ω{right arrow over (x)} _(t)),0^(u),0^(w),{right arrow over(φ)}_(t))_(B) :t=1, . . . ,L)  [Formula 7] where {right arrow over(x)}_(t):=(x_(t,1), . . . , x_(t,n)), ω, ζ, {right arrow over(φ)}₀:=φ_(0,1), . . . , φ_(0,z) ₀ , σ_(i),{right arrow over(φ)}_(t):=φ_(t,1), . . . , φ_(t,z) are random numbers, and u₀, w₀, z₀,u, w, z are each an integer of 0,k* _(L,dec):=((−s _(dec,0),0^(u) ⁰ ,1,{right arrow over(η)}_(dec,0),0^(z) ⁰ )_(B*) ₀ ,(μ_(dec,t)(t,−1),s _(dec,t) {right arrow over (e)} ₁+θ_(dec,t) {rightarrow over (v)} _(t),0^(u),{right arrow over (η)}_(dec,t),0^(z))_(B*):t=1, . . . ,L),  [Formula 8] where {right arrow over(v)}_(i):=(v_(i,1), . . . , v_(i,n)), {right arrow over(η)}_(dec,0)=η_(dec,0,1), . . . , η_(dec,0,w) ₀ , μ_(dec,t), θ_(dec,t),{right arrow over (η)}_(dec,t)=η_(dec,t,1), . . . , η_(dec,t,w) arerandom numbers, s_(dec,0):=Σ_(t=1) ^(L)s_(dec,t), n is an integer of 1or more, and u₀, w₀, z₀, u, w, z are each an integer of 0 or more. 8.The cryptographic system according to claim 1, wherein the transmissiondevice is a signature device that generates signature data sig, and isconfigured to use an integer t of t=1, . . . , d (d being an integer of1 or more) as the index j, use attribute information x_(t) for theinteger t as the parameter Φ_(j) for the index j, use a key vectork*_(t) in which information J assigned to the integer t is set as thecoefficient of the basis vector b_(index), and attribute informationx_(t) for the integer t is set as the coefficient of the basis vectorb_(att), for at least one integer t, and generate the signature data sigincluding as the transmission-side vector t_(j) a signature elements_(i), for each integer i of i=1, . . . , L (L being an integer of 1 ormore), including the key vector k*_(t) for the integer t correspondingto the each integer i, and wherein the reception device is averification device that verifies the signature data sig, and isconfigured to use the integer i as the index j′, use predicateinformation v_(i) for the integer i as the parameter Ψ_(j′) for theindex j′, use as the reception-side vector r_(j′) a verification elementci in which, for each integer i, information J′ having an inner-productof 0 with the information J assigned to each integer t corresponding tothe each integer i is set as the coefficient of the basis vectorb*_(index), and predicate information v_(i) for the each integer i isset as the coefficient of the basis vector b*_(att), and compute aproduct of pairing operations on corresponding pairs of the basisvectors of the signature element s_(i) and the verification elementc_(i) for the each integer i.
 9. The cryptographic system according toclaim 8, wherein the cryptographic system is configured to perform theprocess using a predetermined basis B₀ and a predetermined basis B*₀, apredetermined basis B and a predetermined basis B*, and a predeterminedbasis B_(d+1) and a predetermined basis B*_(d+1), wherein thetransmission device is configured to generate the signature data sigincluding a signature element s_(i), as indicated in Formula 10, byusing a key vector k*₀, a key vector k*_(t) for at least one integer tof t=1, . . . , d, a key vector_(d+1,1), and a key vector_(d+1,2), asindicated in Formula 9, and wherein the reception device computesFormula 12 for a verification element c_(i) for the each integer i, asindicated in Formula 11, and the signature element s_(i) $\begin{matrix}{{k_{0}^{*}:={\left( {\delta,\overset{\overset{u_{0}}{}}{0^{u_{0}}},\overset{\overset{w_{0}}{}}{{\overset{\rightarrow}{\phi}}_{0}},\overset{\overset{z_{0}}{}}{0^{z_{0}}}} \right)B_{0}^{*}}},{k_{t}^{*}:={\left( {\overset{\overset{2 + n}{}}{{\sigma_{t}\left( {1,t} \right)},{\delta \; {\overset{\rightarrow}{x}}_{t}}},\overset{\overset{u}{}}{0^{u}},\overset{\overset{w}{}}{{\overset{\rightarrow}{\phi}}_{t}},\overset{\overset{z}{}}{0^{z}}} \right)B}},{k_{{d + 1},1}^{*}:={\left( {\overset{\overset{2}{}}{{\delta \left( {1,0} \right)},}\overset{\overset{u_{d + 1}}{}}{0^{u_{d + 1}},}\overset{\overset{w_{d + 1}}{}}{{\overset{\rightarrow}{\phi}}_{{d + 1},1},}\overset{\overset{z_{d + 1}}{}}{0^{z_{d + 1}}}} \right)B_{d + 1}}},{k_{{d + 1},2}^{*}:={\left( {\overset{\overset{2}{}}{{\delta \left( {1,0} \right)},}\overset{\overset{u_{d + 1}}{}}{0^{u_{d + 1}},}\overset{\overset{w_{d + 1}}{}}{{\overset{\rightarrow}{\phi}}_{{d + 1},2},}\overset{\overset{z_{d + 1}}{}}{0^{z_{d + 1}}}} \right)B_{d + 1}}}} & \left\lbrack {{Formula}\mspace{14mu} 9} \right\rbrack\end{matrix}$ where {right arrow over (x)}_(t):=(x_(t,1), . . . ,x_(t,n)), δ, {right arrow over (φ)}₀=φ_(0,1), . . . , φ_(0,w) ₀ , σ_(t),{right arrow over (φ)}_(t)=φ_(t,1), . . . , φ_(t,w), {right arrow over(φ)}_(d+1,1)=φ_(d+1,,11), . . . , φ_(d+1,1,w) _(d+1) , are randomnumbers, {right arrow over (φ)}_(d+2)=φ_(d+1,2,1), . . . , φ_(d+1,2,w)_(d+1) n is an integer of 1 or more, and u₀, w₀, z₀, u, w, z are each aninteger of 0 or more, s 0 * := ξ   k 0 * + r 0 * ,  s i * := γ i · ξ  k t * + ∑ t = 1 n   y i , t · b t , i * + r i * , for   1 ≤ i ≤L ,  s L + 1 * := ξ  ( k d + 1 , 1 * + H · k d + 1 , 2 * ) + r L + 1 *,  where   ξ , r o * , r i * , r L + 1   are   random   numbers,  γ i , y → 1 = ( y i , 1 , …  , y i , n )   are   defined   as  if   i ∈ I ⋀ ρ  ( i ) = ( t , v → i ) ,  γ i := α i , y → i  ←U  { y → i  y → i · v → i = 0 ⋀ y i , 1 = β i } ,  if   i ∈ I ⋀ ρ ( i ) =  ( t , v → i ) ,  γ i := α i v → i · x → t , y → i  ← U  { y→ i  y → i · v → i = 0 ⋀ y i , 1 = β i } ,  if   i ∉ I ⋀ ρ  ( i ) =( t , v → i ) ,  γ i := 0 , y → i  ← U  { y → i  y → i · v → i = 0 ⋀y i , 1 = β i } ,  if   i ∉ I ⋀ ρ  ( i ) =  ( t , v → i ) ,  γ i:= 0 , y → i  ← U  { y → i  y → i · v → i = β i } ,  ( β i )  ← U { ( β i , …  , β L )  ∑ i = 1 L   β i  M i = 0 → } ,  M   is  an   L  -  row   and   r  -  column   matrix ,  ρ  ( i )  is   a   variable   to   which   ( t , v → i )    or   ( t , v → i )   is   assigned   in   advance ,  and   H  is   a   hash   value , [ Formula   10 ] c 0 := ( - s 0 , - sL + 1 , 0 u 0  u 0 , 0 w 0  w 0 , η → 0  z 0 )  0 * ,  if   ρ  (i ) = ( t , v → i ) ,  c i := ( μ i  ( t , - 1 , ) , s i  e i + θ i v → i   2 + n  0 u  u , 0 w  w , η → i  z )  B * ,  if   ρ  (i ) =  ( t , v → i ) ,  c i := ( μ i  ( t , - 1 , ) , s i  v → i  2 + n  0 u  u , 0 w  w , η → i  z )  B * , [ Formula   11 ] where{right arrow over (v)}_(i):=(v_(i,1), . . . , v_(i,n)), {right arrowover (η)}₀=η_(0,1), . . . , η_(0,z) ₀ , μ_(i), θ_(i), {right arrow over(η)}_(i)=η_(i,1), . . . , η_(i,z), {right arrow over(η)}_(L+1)=η_(L+1,1), . . . , η_(L+1,z) are random numbers, s₀:={rightarrow over (1)}·{right arrow over (f)}^(T), {right arrow over(s)}^(T):=(s₁, . . . , s_(L))^(T):=M·{right arrow over (f)}^(T), {rightarrow over (f)} is a vector having r pieces of elements, M is an L-rowand r-column matrix, ρ(i) is a variable to which (t, {right arrow over(v)}_(i)) or

(t, {right arrow over (v)}_(i)) is assigned in advance, n is an integerof 1 or more, and u₀, w₀, z₀, u, w, z are each an integer of 0 or more,Π_(i=0) ^(L+1) e(c _(i) ,s* _(i)).  [Formula 12]
 10. A cryptographicmethod for performing a process using a predetermined basis B and apredetermined basis B*, the cryptographic method comprising: generatinga transmission-side vector t_(j) for at least one index j out of aplurality of indices j, the transmission-side vector t_(j) being avector in which information J assigned in advance to the index j is setas a coefficient of a predetermined basis vector b_(index) of the basisB, and a parameter Φ_(j) for the index j is set as a coefficient ofanother basis vector b_(att) of the basis B, by a transmission device;and using a reception-side vector r_(j′) for at least one index j′ outof a plurality of indices j′, the reception-side vector r_(j′) being avector in which information J′ having an inner-product of 0 with theinformation J assigned in advance to the index j corresponding to theindex j′ is set as a coefficient of a basis vector b*_(index) of thebasis B* corresponding to the basis vector b_(index), and a parameterΨ_(j′) for the index j′ is set as a coefficient of a basis vectorb*_(att) of the basis B* corresponding to the basis vector b_(att), andcomputing a product of pairing operations on corresponding pairs of thebasis vectors of the transmission-side vector t_(j) for the index j andthe reception-side vector r_(j′) for the index j′ corresponding to theindex j, by a reception device.
 11. A cryptographic program forperforming processes using a predetermined basis B and a predeterminedbasis B*, the cryptographic program causing a computer to execute: atransmission process of generating a transmission-side vector t_(j) forat least one index j out of a plurality of indices j, thetransmission-side vector t_(j) being a vector in which information Jassigned in advance to the index j is set as a coefficient of apredetermined basis vector b_(index) of the basis B, and a parameterΦ_(j) for the index j is set as a coefficient of another basis vectorb_(att) of the basis B; and a reception process of using areception-side vector r_(j′) for at least one index j′ out of aplurality of indices j′, the reception-side vector r_(j′) being a vectorin which information J′ having an inner-product of 0 with theinformation J assigned in advance to the index j corresponding to theindex j′ is set as a coefficient of a basis vector b*_(index) of thebasis B* corresponding to the basis vector b_(index), and a parameterΨ_(j′) for the index j′ is set as a coefficient of a basis vectorb*_(att) of the basis B* corresponding to the basis vector b_(att), andcomputing a product of pairing operations on corresponding pairs of thebasis vectors of the transmission-side vector t_(j) for the index j andthe reception-side vector r_(j′) for the index j′ corresponding to theindex j.